Abstract
An online world exists in which businesses have become burdened with managerial and legal duties regarding the seeking of informed consent and the protection of privacy and personal data, while growing public cynicism regarding personal data collection threatens the healthy development of marketing and e-commerce. This research seeks to address such cynicism by assisting organisations to devise ethical consent management processes that consider an individual’s attitudes, their subjective norms and their perceived sense of control during the elicitation of consent. It does so by developing an original conceptual model for online informed consent, argued through logical reasoning, and supported by an illustrative example, which brings together the autonomous authorisation (AA) model of informed consent and the theory of planned behaviour (TPB). Accordingly, it constructs a model for online informed consent, rooted in the ethic of autonomy, which employs behavioural theory to facilitate a mode of consent elicitation that prioritises users’ interests and supports ethical information management and marketing practices. The model also introduces a novel concept, the informed attitude, which must be present for informed consent to be valid. It also reveals that, under certain tolerated conditions, it is possible for informed consent to be provided unwillingly and to remain valid: this has significant ethical, information management and marketing implications.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
The overreaching aim of this paper is to support ethical personal information management and marketing practices by developing a conceptual model for online informed consent decision-making, situated in normative ethics theory, based upon the unification of the autonomous authorisation (AA) model of informed consent and the theory of planned behaviour (TPB), which prioritises users’ interests. It seeks to equip organisations with a behavioural-focussed, theoretical framework that describes the mechanism of online consent provision, as experienced by the web user. This user-focussed frame of reference has the potential to substantially address many of the privacy concerns and the scepticism of the online citizen.
Informed consent to personal data processing has its roots in and derives its core meaning from the domains of medicine and research (Beauchamp, 2011). That core meaning concerns the primacy of human autonomy: people have the right to make decisions for themselves (Kirby, 1983; Tymchuk, 1997). Autonomy is a foundational ethical principle in Kantian deontology, which is often described as moral autonomy—the capacity of rational persons to impose upon themselves moral laws, free from external influences. However, it has also been argued to play a key role in consequentialist ethical theory via its association with well-being—and resulting utilitarian value. Consent and autonomy are also central aspects of the contractualist tradition in which individual interests are pursued for effective mutual advantage via autonomous agreement to achievable self-imposed obligations and constraints (Heugens et al., 2006a, 2006b). Autonomy, in business-consumer interactions, essentially requires organisations to respect the right of consumers to make rational decisions. This means furnishing consumers with all relevant information, and to not subject them to manipulation or coercion, which are core principles of the AA model of informed consent.
Consent also possesses “moral force”: it can transform a wrong into a right and it has the ethical power to recast the normative expectations that exist between individuals (Hurd, 1996). Kant’s conception of autonomy is ineliminably linked with morality being a form of self-governance, as opposed to earlier interpretations of morality as obedience to the state, church or others professing to be wiser than us, and it heralded the emergence of the Western liberal view of society (Campbell, 2017). More recently, the concept has been transferred to the digital self in the online world.
The digital self is founded upon personal information stored about an individual in online databases. Concerns have been expressed for some time about the manner in which this information is collected and aggregated (Bashir et al., 2015; Borgesius, 2015; Cate & Mayer-Schönberger, 2013; Solove, 2013) and the power that it is handing to multi-national corporations (Lanier & Weyl, 2018). Revelations such as the 2018 Facebook-Cambridge Analytica data scandal where it was reported that Facebook user data was used to influence voters’ choices at the US ballot box (Cadwalladr & Graham-Harrison, 2018) and a multitude of reports of data security breaches (Hajli et al., 2017), have led to a general diminishment of trust in technology companies (O'Flaherty, 2018). A recent global survey (of Millennials) indicated a pervasive, deep disillusionment in governments and corporations, with widespread scepticism of business’ motives and dissatisfaction with the way in which personal data are being used (Deloitte, 2019).
Linked to this are growing privacy concerns which are becoming more significant in the big data era and are requiring increased organisational focus (Hong et al., 2021; McAfee et al., 2012). These concerns frequently inhibit the adoption and exploitation of big data analytics (Alharthi et al., 2017; Pantano et al., 2021), which has consequences for innovation (Mikalef et al, 2019) and, ultimately, long-term business sustainability. Indeed, organisations that take advantage of the business benefits that big data promises, but fail to appropriately reconcile these concerns, risk repercussions that could cause serious detriment to their reputation, capabilities and overall competitive advantage (Hajli et al., 2021). To address these challenges, the concept of privacy by design (PbD) is gaining traction (Romanou, 2018), and is a key concern for the general data protection regulation (GDPR) (Andrew & Baker, 2021). PbD involves embedding privacy principles into the design, operation and management of information systems, in which the individual’s free and specific consent is required for the collection, use or disclosure of their personal data (Cavoukian, 2009).
In the UK and the EU, disclosed personal data may be processed under several legal bases, one of which is consent [GDPR Article 6(1), Data Protection Act 2018]. Consent requests often form part of a "secondary exchange" in relation to the "primary exchange" of purchase of or subscription to mainstream goods or services that have become part of the everyday digital economy (Culnan & Bies, 2003; Obar, 2020). A system exists at present in which many businesses satisfy their legal duties regarding the seeking of consent for personal data processing using “clickwraps”. Clickwraps are digital prompts that enable web users to effortlessly signify their consent by checking a box, clicking a button or employing some other similar means (Obar, 2020). They also provide a means to opt out of all or some of the data collection activities, but this is commonly a more inconvenient process, with more buttons to click (Obar, 2020) and with access to service often being denied if consent is not provided (Schermer et al., 2014; Tsohou & Kosta, 2017). Indeed, if a user wishes to check the privacy policy associated with a consent request, they usually find a lengthy document, often written in legalistic language that they do not understand (Acquisti et al., 2015; Mai, 2016; Schermer et al., 2014; Wright & Xie, 2019). Moreover, in the context of data processing, due to the complexity of data-sharing arrangements, the individual is no longer able to make rational, conscious or autonomous decisions (Marwick & Hargittai, 2019; Obar, 2020; Schermer et al., 2014). Cumulatively, this leads to consent desensitisation or fatigue in which people do not make active, informed choices, become disinterested, or feel powerless when confronted with the consent request (Obar, 2020; Tene & Polonetsky, 2012).
Understanding this dynamic is key to implementing practices that prioritise users’ interests in the domain of consent elicitation. However, despite informed consent being intrinsic to much of the personal data collection that takes place online, the nature of online consent remains ill-understood (Solove, 2013). Models have been proposed which seek to explain online personal information disclosure behaviours across a variety of situations (see e.g. Dinev & Hart, 2006; Li et al., 2011; Malhotra et al., 2004; Smith et al., 1996; Van Slyke et al., 2006; Xu et al., 2013), and studies have investigated an increasing number of antecedents and outcomes for privacy concerns in an ever-growing number of contexts (Yun et al., 2019). This has led to calls for a consolidation of privacy-related constructs that can cater for disparate contexts to allow the development of a robust underlying theoretical model that explains consent behaviours (Yun et al., 2019). However, no such models have been produced to date and a gap certainly exists in the sense that no attempt has been made to build a macro-level model for online informed consent that is situated in behavioural modelling theory. This paper proposes a model that connects behavioural theory to informed consent theory, to promote better understanding of the behavioural mechanisms that are congruent with the principle of informed consent in the context of personal data collection and subsequent processing. A corollary of the model allows situations or behaviours that are not concordant with an individual’s informed consent for personal data processing to be discerned, for example, to identify unethical data collection practices in the marketing domain.
In the present research, the TPB is the chosen theoretical behavioural lens. While the scope for its improvement has been acknowledged (Ajzen, 1991) and it has received criticism in some quarters (see Bagozzi, 1992, 2007; Benbasat & Barki, 2007), it remains extensively used in contemporary studies to analyse a profusion of behaviours in numerous contexts (including online contexts) either in its original form, in an extended form, or in combination with other theories or models (see e.g. Apau & Koranteng, 2019; Ho et al., 2017; Li et al., 2019; Sharif & Naghavi, 2020). Among several advantages that the TPB has over competing behavioural models is its parsimony, and a set of explanatory variables that have distinct conceptual foci (Crespo & del Bosque, 2008). Moreover, it has commonly been used to underpin investigations concerning online personal information disclosure (Smith et al., 2011).
A number of models exist for informed consent, one of which considers informed consent as a form of autonomous authorisation (AA) (Faden & Beauchamp, 1986). Although the AA model originally derives from the medico-legal domain, Faden and Beauchamp (1986) did not preclude its use in other contexts. Moreover, this mode of autonomous consent provision is particularly applicable to the present research because it forms the basis for providing consent for personal data processing under the GDPR (Carolan, 2016; Schermer et al., 2014). Moreover, as is demonstrated in the section “Relationships between AA and TPB constructs”, the variables within the TPB model align with those of the AA model of informed consent. Accordingly, combining these models offers the potential to address the gap regarding macro-modelling of online informed consent through a behavioural lens. In addition to addressing this gap, this paper also serves an inter-disciplinary function by extending the use of the AA model from a tradition within the medico-legal ethical domain into a new domain of business ethics and, in particular, the ethics of online subscription to goods and services and associated marketing activities.
Literature Review and Theoretical Framework
Various theoretical constructions have been proposed for informed consent. On one level, there are those constructions that seek to characterise the provision of consent in terms of the extent to which the consent of an individual may be purposed or re-purposed. These models include broad consent, blanket consent (Ploug & Holm, 2015a), presumed consent (Hofmann, 2009), express consent (Win, 2005) and implied consent (Hofmann, 2009). On an entirely different level, there are models that seek to address the ontology of consent. These models, because they seek to address the intrinsic nature of consent, are of particular interest in the present paper. They include the disclosure model (Faden & Beauchamp, 1986; Friedman et al., 2000; Marta, 1996; Sim & Wright, 2000), the effective consent model (Faden & Beauchamp, 1986), the AA model (Faden & Beauchamp, 1986) and the fair transaction model (Miller & Wertheimer, 2011). This paper is especially concerned with the AA model, because of its direct relationship with data protection legislation, as discussed in the section “Introduction”. A brief description of this and the other ontological models is provided in this section to place the AA model in context.
The disclosure model is the traditional medico-legal model, and it identifies five constituents of consent: disclosure, comprehension, voluntariness, competence and agreement (Faden & Beauchamp, 1986; Friedman et al., 2000; Marta, 1996; Sim & Wright, 2000). Disclosure refers to the adequacy of the information provided to the participant. Comprehension concerns the participant’s understanding of the information provided. Competence concerns the participant’s ability to make a rational decision, and includes psychological as well as social and legal criteria (e.g. age thresholds) (Faden & Beauchamp, 1986). Voluntariness relates to the absence of control regarding the decision. The final element, agreement, is sometimes omitted as an element and, in other analyses, it is given a different label, being variously referred to as consent, decision, collaboration or agreement (Faden & Beauchamp, 1986; Friedman et al., 2000; Marta, 1996; Sim & Wright, 2000).
The effective consent model, proposed by Faden and Beauchamp (1986), closely resembles the disclosure model, in which a framework of organisational and institutional rules, policies and procedures shape the seeking of consent. It does not rely upon the autonomy of the person. Rather, it is concerned with legally and institutionally effective systems of processes and regulations that govern the seeking of consent and regulate the behaviour of the consent seeker (Faden & Beauchamp, 1986).
In the fair transaction model (Miller & Wertheimer, 2011), disclosure, comprehension, competence, voluntariness and absence of deception are key aspects but, unlike the disclosure model, they are context sensitive. What comprises fairness is dependent upon the risk–benefit profile; greater efforts are required to promote and verify comprehension as the negative consequences to individuals increase.
The AA model of consent, proposed by Faden and Beauchamp (1986), is purely logical in concept and free from normative conditions which may be applied for practical or policy reasons. The model submits that informed consent is synonymous with autonomous authorisation, i.e. that autonomy and authorisation are its constituent elements. They define autonomy as consisting of substantial understanding, non-control and intentionality.
According to Faden and Beauchamp (1986), substantial understanding requires “apprehension of all the material or important descriptions—but not all the relevant (and certainly not all possible) descriptions”. They describe how the importance of a description may largely be determined by “the extent to which the description is material to the person’s decision to authorize” (p. 302), which they say is entirely subjective. An intentional action, according to Faden and Beauchamp (1986), is one “willed in accordance with a plan” (p. 243), but it also includes tolerated acts. Tolerated acts are those that may be unwanted or undesirable. Non-control refers to there being no external controls on the action: an external controlling influence would negate autonomy.
Autonomy is a principle that is key to deontological theories and has been argued to also play a pivotal role in consequentialist ethical theories. It is a fundamental principle of ethics in Kantian deontology that lies at the heart of his fundamental principle of morality—the Categorical Imperative, which states that you should act only according to that maxim that you would wish all other rational people to follow as if it were a universal law (Kant, 1785). Kant’s formulation of autonomy is based upon the principle that a person is obliged to follow the Categorical Imperative because of their use of reason, rather than any external influence (White, 2004). This proposition requires people to recognise the right of others to also act autonomously. In the commercial context, this translates to businesses furnishing consumers with material information relevant to their decision and respecting their right to be free from external control or influence.
To some extent, this resonates with the stakeholder theory approach to marketing ethics. As a normative theory, the stakeholder theory contends that managers have a fiduciary relationship with all stakeholders and when the interests of stakeholders conflict, the optimal balance must be achieved (Hasnas, 1998). In its empirical form, it effectively asserts that a business's financial success requires all stakeholders' interests to be given proper consideration and that policies should be adopted to effect the best balance among them (Hasnas, 1998). Cohen (1995) suggests that consent is intrinsically related to the concept of stakeholdership—that what an individual or a group of individuals would consent to is an important aspect of stakeholder interest and that notions of stakeholdership would benefit from the perspective of consent theory—for which agent autonomy is a central principle.
However, in stakeholder theory, the interests of the individual can be subdued to the interests of the wider collective group of stakeholders to achieve the optimal balance so while their autonomy may be respected, their interests may not actually be served in the stakeholder paradigm (Ambler & Wilson, 1995; Hasnas, 1998). At a more fundamental level, the prioritisation of competing stakeholder claims also encumbers normative stakeholder theorisation (Van Oosterhout et al., 2006).
The approach of contractualism is very different. Contractualism does not aggregate interests, but rather centres on the interests of individuals and captures “the separateness of persons” (Rawls, 1971). Parties to an agreement must have (a) interests that largely align, (b) the ability to abide by the terms of the agreement and (c) have sufficient autonomy to adhere to self-imposed obligations and constraints (Heugens et al., 2006a, 2006b).
The principle of autonomy is not generally associated with consequentialism because it allows for aggression against individuals to aid others (Cummiskey, 1990). However, Mill’s (1859) view of autonomy is actually rooted in consequentialist ethical theory, claiming that it is an essential element of well-being and, therefore, has utilitarian value. In the commercial context, a sense of autonomy has been argued as being vital to a consumer’s well-being, with consumers experiencing utility from the attribution of positive outcomes to the self when they feel in control of their behaviours or choices (André et al., 2018).
Making informed choices is key to Faden and Beauchamp’s (1986) AA model but they refused to generalise the model beyond the medical and research settings and even acknowledged that it might not be possible to apply the AA model to some environments. However, more importantly, they did not preclude its use in other contexts, and subsequent literature has since recognised the AA model as valid within the personal data processing context (Schermer et al., 2014). Within this context, automation is, for example, facilitating micro-targeted marketing practices, based upon behavioural observations, which, on the one hand, facilitate easier consumer choices and enhance well-being but, on the other hand, could undermine their sense of autonomy and undermine well-being (André et al., 2018). The model presented in this paper helps to dissect the factors at play in such decision-making processes.
Table 1 summarises the consent models described in this section.
The protection of personal data falls to the general data protection regulation (GDPR) in the EU and, in the UK, its incorporation into post-Brexit UK law as the UK GDPR. Schermer et al. (2014) point to the GDPR as strongly influenced by the AA model but they argue that AA does not consider the realities of the human decision-making process concerning personal data processing. Therefore, a model that also considers human behaviour would be particularly advantageous.
As far as online consent behaviour is concerned, in the EU and the UK, the regulatory framework dictates that signification of consent is required “by a statement or by a clear affirmative action” [GDPR, Article 4(11)], typically by ticking a box or clicking “I agree”. In this sense, it has a discernible behavioural component. Several behavioural models exist to explain human behaviour in various contexts, of which the main ones of relevance to consent behaviours are shown in Table 2.
Of the theories described in Table 2, the TPB is the theory of choice to advance the development of a model for online consent to personal data processing. Some justification is provided in Table 2, but the merits or otherwise of competing models shown in Table 2 is not the focus of this paper—for fuller details pertaining to each of the models, the reader may consult the referenced articles included within the table.
The TPB is a psychological theory that connects beliefs with behaviour. It states that attitudes towards the behaviour, subjective norms and perceived control over the behaviour are predictors of behavioural intentions. In turn, these behavioural intentions, in conjunction with perceived behavioural control (PBC), are predictors of the behaviour (Ajzen, 1991). The TPB is designed to predict and explain human behaviour in specific contexts. Figure 1 illustrates this relationship.
Theory of planned behaviour [adapted from Ajzen (1991)]
Upon initial inspection, as explained next, there is a high degree of commonality between the constructs of the AA model of consent (understanding, non-control, intention and authorisation) and those of the TPB (attitude, PBC, subjective norm, intention and behaviour). In brief, an attitude is formed from one’s understanding of something in much the same way as one’s control over something also derives from one’s understanding of it. In this regard, both the attitude construct and the PBC construct in the TPB are related to the understanding construct in the AA model. Subjective norms relate to the perceived social pressure to engage or not to engage in a behaviour (Ajzen, 1991) and such pressure ostensibly relates to how much individual control a person feels they have in relation to that behaviour. In this manner, the subjective norm construct in the TPB is related to the non-control construct in the AA model. An act of authorisation is, essentially, a behavioural act, so the TPB construct of behaviour and the AA construct of authorisation, have a clear association. Furthermore, the intention construct is common to both models. These associations are summarised in Table 3 and are discussed more fully in the section “Relationships between AA and TPB constructs”.
Methodology
This research uses a qualitative method (logical reasoning) supported by an illustrative example. First, it employs logical reasoning to develop an original conceptual model for online informed consent decision-making based upon the unification of the AA model of informed consent and the TPB: each of the constructs of each of the theories is dissected and conditions are highlighted under which a TPB construct aligns with an AA construct. Second, an illustrative example, consisting of an analysis of web users’ behaviour regarding tracking is employed to demonstrate various aspects of the model. The illustrative example is based upon extant research.
The use of an illustrative example to demonstrate the empirical relevance of a theoretical model was advanced by Eckstein (1975) in his seminal paper which considered how case studies could be used to facilitate research in the social sciences domain. More recently, Yin (1994) has similarly argued that the illustration of certain topics within a research domain, by way of case study or example, can greatly help to understand real-life phenomena in depth.
The use of an illustrative example is beneficial for three primary reasons: (i) it allows for closer inspection of constructs and empirical illustration of causal relationships by studying complex phenomena within their contexts (George & Bennett, 2005; Siggelkow, 2007); (ii) it can attain high levels of conceptual validity by providing a mechanism to refine concepts (George & Bennett, 2005); (iii) it allows for the study of phenomena that would otherwise be difficult to quantify or study outside of their natural setting (Bonoma, 1985).
More specifically, in the present research, using tracking cookies to illustrate specific aspects of the proposed model has the advantage of being able to leverage considerable prior research in the domain of web user behaviour in relation to cookie notices.
Relationships Between AA and TPB Constructs
This paper is primarily concerned with eliciting the relationships between the AA and the TPB constructs to facilitate a mode of consent elicitation that supports ethical information management and marketing practices. It uses the definitions of the constructs detailed within each of the models, as articulated by each of their architects, Faden and Beauchamp (1986) and Ajzen (1991) respectively. It is not concerned with scholarly debates surrounding the nature of these constructs. This section draws heavily upon the description of the TPB as per Ajzen (1991) and the interpretation of consent as per the AA model of Faden and Beauchamp (1986).
The Relationship Between Understanding and Attitude, and Between Understanding and PBC
This section demonstrates that the understanding construct embedded within the AA model of informed consent (Faden & Beauchamp, 1986) and the attitude construct in the TPB (Ajzen, 1991) are concomitant, to the extent that one overlaps, either wholly or partially, with the other. A similar demonstration is presented for the relationship between understanding and PBC.
The AA model of consent defines the understanding that is required for the validity of informed consent. This is wholly independent of what an individual actually understands. Therefore, required understanding and actual understanding may not be congruent.
Understanding is a highly nuanced phenomenon with numerous interpretations. The AA model, however, is concerned with two particular categories of understanding in relation to the consent process. These are (i) the requirement that an individual “understands that” they are authorising and (ii) that they “understand what” they are authorising (Faden & Beauchamp, 1986). Both are explored in this section.
The Relationship Between Understanding that they are Authorising and PBC Over the Authorisation Process
The PBC construct in the TPB owes much to Bandura’s work on self-efficacy (Ajzen, 2002). Perceived self-efficacy is concerned with “people’s beliefs about their capabilities to exercise control over their own level of functioning and over events that affect their lives” (Bandura, 1991, p. 257). The difference between the two is that PBC is concerned with control over the behaviour, whereas perceived self-efficacy is concerned with control over outcomes (Ajzen, 2002). In the context of providing authorisation for the sharing of personal data, this distinction is important: an individual may have control over the authorisation behaviour (i.e. they can choose to share their personal data or not), but their control over the authorisation outcome (i.e. precisely how their personal data is used) is an entirely separate consideration.
The PBC construct in the TPB comprises control beliefs and the strengths of those beliefs in respect of their capacity to influence the behaviour in question. These beliefs combine to create a “perceived ease or difficulty of performing the behaviour”, which serves as the definition of PBC (Ajzen, 1991). The construct is given by Eq. (1):
where n is the number of salient control beliefs, and pi is the perceived power of the control belief ci to facilitate or inhibit the behaviour.
In the course of authorising, an individual uses any “right, power, or control” that they possess in order to bestow another with the right to act (Faden & Beauchamp, 1986). This Faden and Beauchamp describe as the “permission giving” and “transfer-of-control” function of authorisation.
To understand is to perceive. Therefore, an individual understanding that they are authorising, is synonymous with them perceiving that they are authorising, i.e. they perceive that they are giving permission and transferring control. If they perceive that they are transferring control, then it logically follows that they must also perceive that said control lies within their means in the first place. They may have one or more beliefs concerning their control over the authorisation process, and each such control belief (ci) they may hold to a greater or lesser extent (pi). The totality of these beliefs constitutes their understanding that they are authorising and it can be represented by the PBC construct in the TPB, if authorisation is considered as a form of behaviour.
Whether perceived control is transferred voluntarily is an entirely separate consideration. Voluntariness is a distinct construct that is related to the non-control construct in the AA model and the subjective norm construct in the TPB model, as discussed in the section “Non-control (and its relationship with subjective norms)”.
Whether an individual has the power or control to authorise is a matter of fact, not belief or understanding. It is a binary construct (i.e. they either have control or not), and it adds a third dimension (the first two being what is required to be understood and what an individual actually understands) to the consent process. Ajzen (1991) recognises this as actual control over the behaviour in question.
An individual’s beliefs regarding their control over the authorisation process may correspond with the fact of their control, or it may not. If it does not, it is a false belief. Faden and Beauchamp (1986) adopt a “justified belief” standard to evaluate the quality of an individual’s understanding: is the person holding the belief justified in believing that it is true?
The understanding of an action and the performance of it, based solely upon a demonstrably false belief, is less than fully autonomous (Faden & Beauchamp, 1986). Where an individual holds several beliefs, some justified and some demonstrably false, substantial understanding may still be possible, depending upon the extent to which the false beliefs affect their understanding.
There are two types of false beliefs concerning control over the authorisation process. Firstly, when an individual believes that they have control over the authorisation process when, in fact, they do not. Secondly, a false belief can also arise when an individual believes that they do not have control over the authorisation process when, in fact, they do. In both cases, the individual misunderstands their capabilities in terms of the authorisation. In the latter case, in terms of PBC constructs, this could be considered an individual holding a “negative control” belief (i.e. pi has a negative value).
In their discussion of false beliefs, Faden and Beauchamp (1986) declare, “some false beliefs are more important…than others, and these must be given more weight” (p. 253). This assertion accords with how beliefs are framed in the TPB: in the TPB, false control beliefs ci and cj are not necessarily equal: they have different weights or powers, pi and pj.
Furthermore, an individual may hold “mixed beliefs”, partly believing that they have control and, partly believing that they do not. This ambivalence, in terms of PBC constructs, may be viewed as an individual holding one or more control beliefs with a positive pi and one or more control beliefs with a negative pi. Depending upon the strength of each control belief and whether it is positive or negative will determine, on balance, whether they believe they have control or not. Table 4 summarises this discourse.
Requiring an understanding that one is authorising and actually understanding that one is authorising are not synonymous. Given that a requirement of informed consent is the individual understanding that they are authorising, then they are required to hold a set of control beliefs that are compatible with that understanding. If they do, then their PBC over authorisation equates with their understanding that they are authorising. Conversely, in the case where an individual has the power or control to authorise a particular course of action, but they hold no belief that they do, then their PBC over authorisation does not match with the required understanding that they can authorise, and they cannot provide valid consent.
Further, an individual may not have the power or control to authorise a particular course of action, and hence they cannot provide valid consent, but they believe that they do. Here, they hold a demonstrably false belief. The belief of their control over the authorisation process does not correspond with the fact of their control, so any authorisation would be less than fully autonomous, and informed consent is impossible. Here, their PBC over authorisation equates with a false understanding that they can authorise.
If they do not have the power or control to authorise a particular course of action and this is what they believe, then, clearly, they do not possess an understanding that they can authorise, so informed consent is not possible. In this scenario, their PBC over authorisation corresponds with the understanding that they cannot authorise (see Table 5).
It is only when the required understanding, the actual understanding and the factual power/control over authorisation are all positive that informed consent is possible (see Fig. 2).
Conceptual representation of the relationship between the required understanding of power/control to authorise, the actual understanding of power/control to authorise, the factual control over authorisation, and where informed consent is possible
Understanding what they are Authorising (and Its Relationship with Attitudes)
Attitude is defined as the “degree to which a person has a favourable or unfavourable evaluation or appraisal of the behaviour in question” (Ajzen, 1991) and it is expressed by Eq. (2). According to Ajzen (1991), beliefs concerning the consequences of a behaviour determine attitudes towards the behaviour. Beliefs about something are formed by associating it with attributes. In the case of attitude towards a behaviour, those attributes may be the outcome or the cost of performing the behaviour. The attitude construct in the TPB is constituted of salient belief strengths (assessed usually on a scale ranging from likely to unlikely), and a subjective outcome evaluation of each belief held about the object of the attitude (assessed usually on a scale ranging from good to bad).
where n is the number of salient beliefs and bi is the strength of each salient belief, and ei is the subjective evaluation of the belief’s attribute.
In their discussion of what it means to understand an action, Faden and Beauchamp (1986) observe that it colloquially corresponds to having “justified beliefs” about the consequences of what one is doing (Faden & Beauchamp, 1986). Regarding the concern with “beliefs”, already apparent, therefore, is some similarity between the attitude construct in the TPB and the understanding construct in the AA model.
The AA model of consent requires a substantial understanding of what one is authorising. Substantial understanding lies on the continuum between full understanding and full ignorance (Faden & Beauchamp, 1986). As discussed earlier, substantial understanding requires apprehension of all material or important descriptions.
A material description is one that would be viewed, by the individual concerned, as worthy of consideration in deciding whether to perform a proposed action (Faden & Beauchamp, 1986). If an individual regards a description as worthy of consideration regarding their decision to authorise, they must be able to form some belief concerning that description and accord some positive or negative attributes to that belief. The individual may possess several beliefs concerning the material description, and each belief they may hold to a greater or lesser extent. The totality of these beliefs represents their apprehension of the material descriptions. This corresponds with the summative salient belief index in the attitudinal construct in the TPB. According to the TPB, an attitude will be formed towards what is being authorised, based upon the material descriptions. For substantial understanding to be achieved, it is necessary to form an attitude towards what is being authorised based upon all material descriptions.
Substantial understanding also requires an “extra subjective component”. The extra subjective component essentially comprises some objective facts that must be understood. These are “the essential elements of the arrangement” (Faden & Beauchamp, 1986). The attitude towards what is being authorised will only be affected if the individual forms salient beliefs concerning the objective facts that must be understood. Salient beliefs will only be formed in respect of material descriptions. If these objective facts are material to the individual, then salient beliefs will be formed which will affect attitude formation. If the individual has an apprehension of all the material descriptions and the objective facts are material to the individual, then, for the purposes of the present paper, it will be called an “informed attitude”. If the objective facts are not material to the individual, then salient beliefs will not be formed regarding them, and they will not affect attitude formation: this will be called an “uninformed attitude”. An uninformed attitude is also formed if individuals form an attitude towards what they are authorising based upon some, but not all, material descriptions.
The apprehension of non-material or unimportant descriptions of what one is authorising have no bearing upon informed consent. Given that they are not material to the individual, the individual will not form salient beliefs regarding those descriptions. The attitude construct in the TPB is concerned with salient beliefs, so these non-material descriptions will not contribute to the formation of the attitude towards what they are authorising.
In summary, informed consent requires attitudes to be formed towards all material descriptions of what is being authorised. The material descriptions must include the objective facts required to be understood; attitudes towards non-material descriptions have no bearing upon informed consent. Figure 3 illustrates the composition of informed and uninformed attitudes.
Conceptual representation of the factors at play in the definition of a informed and b uninformed attitudes
Note that it may be the case that a description that is material to the person’s decision to authorise is a false description which leads to a false (but salient) belief formation. The false belief will affect the attitude towards what is being authorised. Where an individual holds several beliefs, some justified and some demonstrably false, but salient, substantial understanding may still be possible, depending upon the extent to which the false beliefs affect their understanding. An informed attitude is still possible, but it will only be formed if substantial understanding is achieved and the objective facts that must be understood are material to the individual.
Non-control (and Its Relationship with Subjective Norms)
This section highlights the relationship that exists between the subjective norm component of the TPB and the non-control component of the AA model of informed consent.
For valid informed consent, there must be an absence of external control on the individual’s decision to authorise. Faden and Beauchamp (1986) call this criterion “non-control”. Control is applied through influencing the individual’s analysis of a situation. Faden and Beauchamp (1986) describe three types of external influence: persuasion, manipulation and coercion. In their description, persuasion is never controlling, while coercion is always controlling. Manipulation occupies the grey region between the two, and it may be persuasive or coercive, depending upon the degree to which the individual’s decision is affected by the influence. If the influence on action is substantially controlling, then the action cannot be autonomous. Conversely, if an influence on action is substantially non-controlling, then the action can be autonomous. Therefore, non-control reflects a spectrum of allowable influence upon an informed consent decision that does not invalidate it. Consequently, the relationship between subjective norm and non-control is demonstrated by illustrating that a subjective norm is a form of influence and that it can exist on the same spectrum of influence as that of non-control.
Norms have a powerful and consistent impact on behaviour (Cialdini et al., 1991). With reference to a particular social group, two types of norms exist: descriptive norms and injunctive norms. A descriptive norm is an individual’s perception of what most people do, and its motivational element is characterised by informational social influence (Cialdini et al., 1991). Informational social influence is defined as “an influence to accept information obtained from another as evidence about reality” (Deutsch & Gerard, 1955). An injunctive norm is an individual’s perception of what most people would approve or disapprove, and its motivational element is characterised by normative social influence (Cialdini et al., 1991). Normative social influence is defined as the influence to conform to another person's positive expectations or group or even to one’s “self” (Deutsch & Gerard, 1955). The subjective norm component in the TPB is an injunctive norm (White et al., 2009). It is, therefore, concerned with normative social influence so it may be substantially controlling or substantially non-controlling.
Figure 4 illustrates the relationship between coercive influences (which are controlling) and persuasive influences (which are not controlling). Manipulation is depicted as occupying the region between coercion and persuasion and it can either be substantially controlling or substantially non-controlling depending upon where it lies on the influence scale. Figure 4 also illustrates the influence spectrum along which normative social influences (NSI) and informational social influences (ISI) may operate. Only when the combination of both of these influences is not substantially controlling is informed consent possible. If their combination is substantially controlling, then informed consent is not possible.
Relationship between autonomy and norm formation showing a the absence of or b the presence of controlling influences, building upon Faden and Beauchamp (1986)
Relationship Between AA Intention and TPB Intention
The intention construct is common to the AA model of consent and the TPB. This section examines the interpretation of intention in each of the models and then proceeds to highlight the relationship that exists between both manifestations.
In the TPB, intentions are “indications of how hard people are willing to try, of how much of an effort they are planning to exert, in order to perform the behaviour” and they “capture the motivational factors that influence a behaviour” (Ajzen, 1991, p. 181). The TPB deliberates very little over the nature of intention. However, it is clear that intention in the TPB is a motivational construct and is associated with a willingness to expend effort to try to enact the behaviour (Rhodes et al., 2006).
The model of intentional action used by Faden and Beauchamp (1986) is somewhat different from that used in the TPB. In their model, as well as acts that are willed in accordance with a plan (as per the TPB formulation) they also include “tolerated acts”. Tolerated acts are not undertaken willingly: they may be undesirable or unwanted but follow from the willed acts (Faden & Beauchamp, 1986), possibly as a “side effect”. Therefore, according to the TPB, given the lack of willingness, tolerated acts could not be considered as intentional. Hence, for the act of providing informed consent, intention, as per the AA model of informed consent, is a superset of the intention with which the TPB is concerned. Figure 5 illustrates this relationship.
Relationship between intention as per the AA model and intention as per the TPB
Relationship Between Authorisation and Behaviour
There is no generally accepted definition of the phenomenon that we call “behaviour”. For the purposes of the present analysis, the version that descriptive psychology offers is adopted. This states that behaviour is an attempt on the part of an individual to bring about some state of affairs—either to change that state of affairs or to maintain it (Bergner, 2011; Ossorio, 2006).
The act of authorising provides official permission for or formal approval to an action or an undertaking (Oxford English Dictionary, 2019). Authorisation brings about a state change. This state change concerns permission or approval: what once did not have permission or approval, following authorisation, gains permission or approval. It follows that authorisation is a form of behaviour.
Relationship Combination
Sections “The relationship between understanding and attitude, and between understanding and PBC”, “Non-control (and its relationship with subjective norms)”, “Relationship between AA intention and TPB intention” and “Relationship between authorisation and behaviour” related the constructs of the TPB to those of the AA model of informed consent. Figure 6 shows the resultant original conceptual model which overlays the AA constructs of understanding, non-control, intention and authorisation onto the TPB model.
Conceptual model of the relationship between TPB constructs and AA model of informed consent constructs [building upon Ajzen (1991)]
Illustrative Example: Tracking Cookies
Cookies are short text strings sent by web servers to the browser of an internet user. They initially emerged as a means for web users to revisit web sites without re-identifying themselves and their preferences with each visit. (Millett et al., 2001). However, they have evolved to be capable of collecting information about user’s browsing habits, information that can be distributed extensively and with relative ease to companies that can utilise it in marketing campaigns (Palmer, 2005; Stead & Gilbert, 2001). The GDPR requires that acceptance of these so-called tracking cookies is accompanied by an associated cookie policy or notice which explains how the user’s data is to be used (Bornschein et al., 2020). However, research has shown that many web users routinely accept these cookies with little or no reflection (Choi et al., 2018; Utz et al., 2019) or how they provide a mechanism through which their online practices may be monitored (Bauer et al., 2021; Lin & Loui, 1998). The unified model presented in this paper provides a means through which this form of web user behaviour can be better understood.
This section briefly explores the case of tracking cookies and how they provide a means to illustrate and contextualise the relationships between the constructs of the TPB and the AA model of consent presented in the section “Relationships between AA and TPB constructs”.
The Relationship Between the Web User Understanding that they are Authorising and Their PBC
When a person browses a website for access to goods or services, permission to share their personal data via a cookie notice is frequently requested (Bornschein et al., 2020). In this regard, they are presented with an authorisation request. This is consistent with the predominant “notice and choice” paradigm of privacy self-management, in which individuals act as their own gatekeeper for access to their personal information (Hoofnagle & Urban, 2014; Milne & Rohm, 2000; Solove, 2013).
The person may not understand that they are being asked to authorise something (Plaut & Bartlett, 2012) and, even if they do, it may not be entirely clear to them precisely what they are authorising (Acquisti & Grossklags, 2005; Solove, 2013). However, when they do understand that their authorisation is being requested (via the cookie notice), it is associated with increased perceived power, or control, over the process (Bornschein et al., 2020). Conversely, if the person does not perceive that they have control over their own act of authorisation (i.e. that they must accept the cookie), then it is most unlikely that they consider that they are performing a legitimate act of authorisation.
The Relationship Between the Web User Understanding what is Being Authorised and Their Attitude Towards Authorisation: Informed and Uninformed Attitudes
The web user’s attitude towards authorising the processing of their personal data via a cookie notice would, in line with the TPB, be shaped by their beliefs concerning the consequences of clicking “I accept”. It is evident that many people do not make active, informed choices (Ploug & Holm, 2012, 2015b; Schermer et al., 2014), and are simply unaware of the consequences of their acceptance. In this case, their lack of understanding of the consequences translates directly to a lack of justified belief formation (Faden & Beauchamp, 1986). Cookie notices generally provide too many or too few options, fuelling the belief that the choices are not meaningful, resulting in a lack of engagement with the notice (Utz et al., 2019). A lack of interest in the notice would correspond to the web user deeming the notice as being unworthy of consideration because they regard it as immaterial [i.e. not a “material description”, as per Faden and Beauchamp (1986)]. Therefore, any objective facts that must be understood for substantial understanding to be achieved would likely remain unknown to the web user, and an uninformed attitude would be established. Conversely, let us suppose that the web user takes an active interest in the cookie notice. In this case, their interest logically derives from the wish to reach a (substantial) understanding of any clauses that may be of concern to them (i.e. “material descriptions”), because they have particular attitudes towards the consequences of sharing their personal data. If the clauses of interest also correspond to the essential elements of the agreement, then an informed attitude would be formed.
The Relationship Between Non-control and Subjective Norms
It has been argued that companies appear to abuse their power as cookie policy authors by using linguistic techniques to obfuscate reality and to confuse and deceive the user (Pollach, 2005). For example, cookies are often described as small files which are used as standard practice, suggesting that they are innocuous and of no cause for concern (Pollach, 2005). If a cookie banner is designed to manipulate web user acceptance, then (following the logic of Faden and Beauchamp (1986)) there is a substantially controlling influence on the user’s decision to accept a tracking cookie, and it cannot be legitimately asserted that the web user can act autonomously (Bauer et al., 2021). Moreover, in the case of the tracking cookie, non-acceptance may, for example, result in a web user’s exclusion from online social activity in which significant others partake. This engages the subjective norm construct within the TPB. Social injunctive norms are subjective norms which are concerned with perceived social pressures from significant others to perform a particular behaviour (White et al., 2009). While subjective norms can motivate action, research has highlighted their weakness as a predictor of behaviour (Ajzen, 1991). Notwithstanding this, perceived social pressure, which is characterised by the normative social influence to conform to another’s or even one’s expectations (Cialdini et al., 1991; Deutsch & Gerard, 1955) (subjective norm) has been shown to be the most important TPB factor in predicting the intention to disclose personal information for incentives offered by commercial websites (Heirman et al., 2013). Such norms can exert a strong influence upon the individual’s decision to accept a cookie, to such an extent that they may be regarded as being substantially controlling.
Intention: Secondary Exchanges and Tolerated Acts
The web user’s intention to share personal data via the acceptance of a tracking cookie is often part of a secondary exchange in relation to the primary exchange of their access to mainstream goods or services (Obar, 2020). This secondary exchange, which is central to the understanding of a user’s privacy concerns, provides the information required to support a marketing relationship with the user (Culnan & Bies, 2003), and may be regarded as a tolerated act, as per Faden and Beauchamp’s (1986) AA model of consent. Clear evidence of the toleration effect was seen in a 2016 study which found that participants, when engaging with a social networking site, considered notices as an “unwanted impediment” to the real purpose of accessing the site (Obar & Oeldorf-Hirsch, 2020).
Discussion
The present research addresses the identified gap that exists concerning the absence of a macro-level behavioural model for online informed consent that consolidates privacy-related constructs across disparate contexts. It does so by developing a parsimonious original conceptual model for online informed consent, rooted in normative ethics theory and argued through logical reasoning, which unites the AA model of informed consent and the TPB. This model facilitates the analysis of acts of online consent through a well-established behavioural theory. This is illustrated by way of an exemplar that applies the model to the case of tracking cookies and explains a variety of web user behaviours in the context of the relationships between AA constructs and TPB constructs.
While various theoretical perspectives on consent have been highlighted in this paper, it would appear that contractualism, with its particular focus on the autonomy and informed consent of the individual, would appear to be an appropriate lens through which to view personal data-sharing arrangements. The key word here is “personal”. The “personal” is the bedrock of contractualism, whereas stakeholder theory subsumes personal interest to the collective and consequentialism abrogates personal interest if greatest utility can be found by other means.
This paper also contributes to ethical information management research and ethical marketing practices, at a theoretical and a practical level, by shedding light on the operation of consent elicitation in online interactions and transactions between web users and businesses and how such elicitation can align with architectures that properly respect the interests of users, for example, PbD implementations.
Theoretical Contributions
The current research develops theory in the domain of ethical personal information management. The primary theoretical contribution of this paper is the unification of the TPB with the AA model of informed consent, which were hitherto only considered distinctly. The proposed conceptual model augments privacy practices (e.g. PbD) by assisting organisations and researchers to understand the mechanism of a web user’s consent provision across a variety of contexts, thus facilitating ethical online consent processes that prioritise users’ interests.
The proposed model also benefits inter-disciplinary theoretical practice by extending the AA model of informed consent, which has a tradition in the sphere of medico-legal ethics, to a new sphere within business ethics. This has particular relevance to domains concerning the collection and processing of personal data for management or marketing purposes.
Another theoretical contribution of this research, which derives from the unified model, is to demonstrate that informed consent for personal data processing can be possible under circumstances of unwillingness, if it is a tolerated side effect of some overarching objective, providing it is given voluntarily and with substantial understanding of the data-sharing arrangement.
The notion of a tolerated act (as per the AA model of consent) accords well with online behaviour in relation to tracking cookies, where the sharing of personal data often occurs as an exchange which is usually secondary in relation to the primary act of accessing online goods and services. Regarding the intention to consent, the addition of tolerated acts is key to understanding informed consent in the context of personal data sharing, i.e. in personal data-sharing contexts, often the intention to share data is situated in the “tolerated” space. According to the TPB, given the lack of willingness, tolerated acts could not be considered as intentional. However, this work provides an argument demonstrating that it is theoretically possible for informed consent to be valid in circumstances where personal data is shared unwillingly. Given that consent is frequently provided under circumstances in which there are asymmetries in knowledge and power (Solove, 2013), this has considerable ethical implications as it appears to shift the balance of power further in favour of the consent-requester. However, this is only the case if toleration is considered as a binary construct. As toleration is often measured in degrees (Crick, 2014), it should then be considered whether there is a level of toleration that is too great and beyond which consent can be nullified. Moving the focus of online personal data sharing from willingness to toleration has clear and significant ethical implications, but ostensibly represents a more authentic recognition of the online consent dynamic in many situations. One such implication, which follows directly from the analysis herein, concerns Mill’s (1859) consequentialist perspective of autonomy: tolerated acts that are unwanted or undesirable diminish a person’s sense of autonomy and can have detrimental consequences for well-being. Conversely, acts that are willed are positively attributed and heighten a person’s sense of autonomy and well-being.
A further theoretical contribution concerns the informed attitude: this construct is a new theoretical conception that especially cements the link between informed consent and behaviour. It sheds light on what it means, from a behavioural perspective, to understand an agreement for which informed consent is being sought. This construct frames informed consent in terms of people having established attitudes towards (i) all aspects of the agreement that are important to them (subjective components) and, (ii) the essential elements of the agreement (objective components). Informed consent is not possible if either of these criteria is not present.
The concept of the uninformed attitude is particularly helpful in explaining the disinterest and lack of understanding that is often exhibited by web users regarding cookie notices, and the associated criticism that online consent is rarely truly informed. Yet, operationalisation of the informed attitude construct presents challenges: descriptions that are important to one individual may not be important to another individual; they are subjective. However, if only objective facts that must be understood were required for consent to be valid, operationalisation would be simplified, but at the expense of violating an aspect of the AA model of consent (i.e. ignoring subjective elements of the agreement that are important to a particular individual); on balance, the practical benefits of such an implementation may outweigh the dilution of the ethical purity of a true AA model operationalisation.
Practical Contributions
With an increasingly regulated environment, effective management of consent processes for web user data collection is becoming increasingly important. While there is an abundance of guidance for organisations concerning data protection and management, there is a lack of guidance on what constitutes collection that considers the web user’s attitudes, their sense of control and subjective norms i.e. collection that is user-centric. This largely stems from the absence of a framework for online informed consent that considers peoples’ behaviour, and it is having a detrimental effect on public trust in personal data processing activities.
By dissecting user behaviour in relation to online consent through the creation of a high-level behavioural model, as presented in this paper, it is possible to build ethical consent management processes for businesses that leverage the TPB’s rich backdrop of methods and materials to better understand various online consent behaviours. For example, if there is a lack of understanding of what is being authorised, behavioural interventions that target attitudes towards what requires authorisation may be considered. Or, if the voluntariness of consent is in question, an avenue of redress may be to examine any subjective norms that may be at play. A lack of understanding may also deny a person the ability to make a rational decision. As well as being a clear violation of informed consent as per the AA model, in Kantian terms it also violates the Categorical Imperative because the person could not be considered as a rational agent applying the principle of reason in an autonomous fashion. Respecting autonomy and keeping the interests of individuals uppermost, as well as having benefits for well-being (as discussed), aligns with principles of user-centricity, such as in the PbD framework, and can assist in addressing the public’s growing scepticism in personal data collection procedures.
Conclusions
A model for online informed consent has been developed that can be employed to augment ethical personal information collection and associated marketing practices by creating a user-centric model for consent transactions which unites behavioural theory, specifically the TPB, with the AA model of informed consent. This unified model creates a novel theoretical platform that explains the internal mechanisms of online consent behaviours and which, depending upon one’s theoretical standpoint, can be viewed through the normative ethical lens of either consequentialism or deontology. A qualitative method has been adopted in which the model is constructed through logical reasoning and then illustrated using the example of tracking cookies. It is shown that, under certain conditions, (i) the understanding construct in the AA model of consent aligns with two constructs in the TPB: attitude and perceived behavioural control. (ii) Non-control within the AA model aligns with the subjective norm in the TPB. (iii) Intention is common to both models, albeit with subtle but significant differences in meaning. Finally, (iv) the authorisation element of the AA model equates to the behaviour component in the TPB model.
The model also introduces a novel construct, the informed attitude, which must be present for informed consent to be valid. An informed attitude to an agreement is formed if an individual understands (a) all aspects of the agreement that are important to them and (b) the essential elements of the agreement.
Of particular ethical significance in the information management and marketing domains is the determination that it is theoretically possible for a web user to share personal data unwillingly, and for consent to remain informed, if it is a tolerated side effect of some greater intended purpose, provided it is given voluntarily and with substantial understanding. However, the unwillingness of consent provision for data-sharing activities sits uneasily with the narrative of individual autonomy and privacy practices, although it may be tempered if toleration is measured on a continuum on which there are levels of toleration beyond which consent could not be considered authentic.
Limitations and Further Work
A limitation of this study is related to the inclusion of descriptive norms in the model. This has the consequence that the model does not provide a definitive substantially controlling/non-controlling outcome in the case where informational social influence (ISI) is substantially controlling and normative social influence (NSI) is substantially non-controlling (or vice versa). Extending the model to overcome this limitation will require a construct that allows for the weighting of a combined NSI/ISI. This scenario can be explored in future research.
Further research which analyses the willingness of consent in a variety of online personal information disclosure contexts, and to what extent such disclosure is simply tolerated, would clarify the extent to which greater research efforts should be directed towards analysing online consent through a new ethical lens of toleration versus the traditional lens of willingness.
As substantial understanding is a core component of informed consent, another fruitful avenue of future research would be to investigate ways in which actual understanding can reach substantial understanding by managing other components of the unified model.
Operationalisation of the informed attitude construct would require further research efforts at the theoretical level. If understanding an agreement would require only the understanding of the objective facts, the departure that this would represent from a pure AA model operationalisation may predicate a modified form of consent that lies between the effective model of consent and the AA model.
References
Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information. Science, 347(6221), 509–514. https://doi.org/10.1126/science.aaa1465
Acquisti, A., & Grossklags, J. (2005). Privacy and rationality in individual decision making. IEEE Security & Privacy, 3(1), 26–33.
Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. Action control (pp. 11–39). Springer.
Ajzen, I. (1991). The theory of planned behaviour. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-t
Ajzen, I. (2002). Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior 1. Journal of Applied Social Psychology, 32(4), 665–683.
Alharthi, A., Krotov, V., & Bowman, M. (2017). Addressing barriers to big data. Business Horizons, 60(3), 285–292.
Ambler, T., & Wilson, A. (1995). Problems of stakeholder theory. Business Ethics: A European Review, 4(1), 30–35.
André, Q., Carmon, Z., Wertenbroch, K., Crum, A., Frank, D., Goldstein, W., Huber, J., Van Boven, L., Weber, B., & Yang, H. (2018). Consumer choice and autonomy in the age of artificial intelligence and big data. Customer Needs and Solutions, 5(1), 28–37.
Andrew, J., & Baker, M. (2021). The general data protection regulation in the age of surveillance capitalism. Journal of Business Ethics, 168(3), 565–578.
Apau, R., & Koranteng, F. N. (2019). Impact of cybercrime and trust on the use of e-commerce technologies: An application of the theory of planned behavior. International Journal of Cyber Criminology, 13(2), 228.
Bagozzi, R. P. (1992). The self-regulation of attitudes, intentions, and behavior. Social Psychology Quarterly, 55, 178–204.
Bagozzi, R. P. (2007). The legacy of the technology acceptance model and a proposal for a paradigm shift. Journal of the Association for Information Systems, 8(4), 244–254.
Bandura, A. (1986). Social foundation of thought and action: A social-cognitive view. Englewood Cliffs.
Bandura, A. (1991). Social cognitive theory of self-regulation. Organizational Behavior and Human Decision Processes, 50(2), 248–287.
Bashir, M., Hayes, C., Lambert, A. D., & Kesan, J. P. (2015). Online privacy and informed consent: The dilemma of information asymmetry. Proceedings of the Association for Information Science and Technology, 52(1), 1–10.
Bauer, J. M., Bergstrøm, R., & Foss-Madsen, R. (2021). Are you sure, you want a cookie?–—The effects of choice architecture on users’ decisions about sharing private online data. Computers in Human Behavior, 120, 106729.
Beauchamp, T. L. (2011). Informed consent: Its history, meaning, and present challenges. Cambridge Quarterly of Healthcare Ethics, 20(4), 515–523.
Benbasat, I., & Barki, H. (2007). Quo vadis TAM? Journal of the Association for Information Systems, 8(4), 211–218.
Bergner, R. M. (2011). What is behavior? And so what? New Ideas in Psychology, 29(2), 147–155.
Bonoma, T. V. (1985). Case research in marketing: Opportunities, problems, and a process. Journal of Marketing Research, 22(2), 199–208.
Borgesius, F. Z. (2015). Informed consent: We can do better to defend privacy. IEEE Security & Privacy, 13(2), 103–107.
Bornschein, R., Schmidt, L., & Maier, E. (2020). The Effect of consumers’ perceived power and risk in digital information privacy: The example of cookie notices. Journal of Public Policy & Marketing, 39(2), 135–154.
Cadwalladr, C., & Graham-Harrison, E. (2018). Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian. Retrieved from https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
Campbell, L. (2017). Kant, autonomy and bioethics. Ethics, Medicine and Public Health, 3(3), 381–392.
Carolan, E. (2016). The continuing problems with online consent under the EU’s emerging data protection principles. Computer Law & Security Review, 32(3), 462–473. https://doi.org/10.1016/j.clsr.2016.02.004
Cate, F. H., & Mayer-Schönberger, V. (2013). Notice and consent in a world of big data. International Data Privacy Law, 3(2), 67–73. https://doi.org/10.1093/idpl/ipt005
Cavoukian, A. (2009). Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada, 5, 12.
Choi, H., Park, J., & Jung, Y. (2018). The role of privacy fatigue in online privacy behavior. Computers in Human Behavior, 81, 42–51.
Cialdini, R. B., Kallgren, C. A., & Reno, R. R. (1991). A focus theory of normative conduct: A theoretical refinement and reevaluation of the role of norms in human behavior. Advances in experimental social psychology (Vol. 24, pp. 201–234). Elsevier.
Cohen, S. (1995). Stakeholders and consent. Business & Professional Ethics Journal, 14, 3–16.
Crespo, Á. H., & del Bosque, I. R. (2008). The effect of innovativeness on the adoption of B2C e-commerce: A model based on the Theory of Planned Behaviour. Computers in Human Behavior, 24(6), 2830–2847.
Crick, B. (1971). Toleration and tolerance in theory and practice. Government and Opposition, 6(2), 143–171.
Culnan, M. J., & Bies, R. J. (2003). Consumer privacy: Balancing economic and justice considerations. Journal of Social Issues, 59(2), 323–342.
Cummiskey, D. (1990). Kantian consequentialism. Ethics, 100(3), 586–615.
Deloitte. (2019). The Deloitte Global Millennial Survey 2019: Societal discord and technological transformation create a "generation disrupted". Retrieved August 21, 2019, from https://www2.deloitte.com/global/en/pages/about-deloitte/articles/millennialsurvey.html
Deutsch, M., & Gerard, H. B. (1955). A study of normative and informational social influences upon individual judgment. The Journal of Abnormal and Social Psychology, 51(3), 629.
Dinev, T., & Hart, P. (2006). An extended privacy calculus model for e-commerce transactions. Information Systems Research, 17(1), 61–80.
Eckstein, H. (1975). Case study and theory in political science. In F. I. Greenstein & N. W. Polsby (Eds.), Strategies of inquiry, handbook of political science (Vol. 7, pp. 94–137). Addison-Wesley.
Eysenck, H. J. (1963). Biological basis of personality. Nature, 199(4898), 1031–1034.
Faden, R. R., & Beauchamp, T. L. (1986). A history and theory of informed consent. Oxford University Press.
Friedman, B., Felten, E., & Millett, L. I. (2000). Informed consent online: A conceptual model and design principles. In: University of Washington Computer Science & Engineering Technical Report 00–12–2.
George, A. L., & Bennett, A. (2005). Case studies and theory development in the social sciences. MIT Press.
Goldberg, L. R. (1990). An alternative" description of personality": The big-five factor structure. Journal of Personality and Social Psychology, 59(6), 1216.
Hajli, N., Shirazi, F., Tajvidi, M., & Huda, N. (2021). Towards an understanding of privacy management architecture in big data: An experimental research. British Journal of Management, 32(2), 548–565.
Hajli, N., Sims, J., Zadeh, A. H., & Richard, M.-O. (2017). A social commerce investigation of the role of trust in a social networking site on purchase intentions. Journal of Business Research, 71, 133–141.
Hasnas, J. (1998). The normative theories of business ethics: A guide for the perplexed. Business Ethics Quarterly, 8(1), 19–42.
Heirman, W., Walrave, M., & Ponnet, K. (2013). Predicting adolescents’ disclosure of personal information in exchange for commercial incentives: An application of an extended theory of planned behavior. Cyberpsychology Behavior and Social Networking, 16(2), 81–87. https://doi.org/10.1089/cyber.2012.0041
Heugens, P. P., van Oosterhout, J. H., & Kaptein, M. (2006a). Foundations and applications for contractualist business ethics. Journal of Business Ethics, 68(3), 211–228.
Heugens, P. P., Kaptein, M., & van Oosterhout, J. H. (2006b). The ethics of the node versus the ethics of the dyad? Reconciling virtue ethics and contractualism. Organization Studies, 27(3), 391–411.
Ho, S. S., Lwin, M. O., Yee, A. Z., & Lee, E. W. (2017). Understanding factors associated with Singaporean adolescents’ intention to adopt privacy protection behavior using an extended theory of planned behavior. Cyberpsychology, Behavior, and Social Networking, 20(9), 572–579.
Hofmann, B. (2009). Broadening consent—and diluting ethics? Journal of Medical Ethics, 35(2), 125–129.
Hong, W., Chan, F. K., & Thong, J. Y. (2021). Drivers and inhibitors of internet privacy concern: A multidimensional development theory perspective. Journal of Business Ethics, 168(3), 539–564.
Hoofnagle, C. J., & Urban, J. M. (2014). Alan Westin’s privacy homo economicus. Wake Forest Law Review, 49, 261.
Hurd, H. M. (1996). The moral magic of consent. Legal Theory, 2(02), 121–146.
Kant, I. (1785). Groundwork for the metaphysics of morals. Oxford University Press.
Kirby, M. (1983). Informed consent: What does it mean? Journal of Medical Ethics, 9(2), 69–75.
Lanier, J., & Weyl, E. G. (2018). A blueprint for a better digital society. Harvard Business Review.
Li, H., Sarathy, R., & Xu, H. (2011). The role of affect and cognition on online consumers’ decision to disclose personal information to unfamiliar online vendors. Decision Support Systems, 51(3), 434–445.
Li, Y., Huang, Z., Wu, Y. J., & Wang, Z. (2019). Exploring how personality affects privacy control behavior on social networking sites. Frontiers in Psychology, 10, 1771.
Lin, D., & Loui, M. C. (1998). Taking the byte out of cookies: Privacy, consent, and the Web. ACM Policy, 28, 39–51.
Mai, J.-E. (2016). Big data privacy: The datafication of personal information. Information Society, 32(3), 192–199. https://doi.org/10.1080/01972243.2016.1153010
Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): Tthe construct, the scale, and a causal model. Information Systems Research, 15(4), 336–355. https://doi.org/10.1287/isre.1040.0032
Marta, J. (1996). A linguistic model of informed consent. Journal of Medicine and Philosophy, 21(1), 41–60.
Marwick, A., & Hargittai, E. (2019). Nothing to hide, nothing to lose? Incentives and disincentives to sharing information with institutions online. Information, Communication & Society, 22(12), 1697–1713.
McAfee, A., Brynjolfsson, E., Davenport, T. H., Patil, D., & Barton, D. (2012). Big data: The management revolution. Harvard Business Review, 90(10), 60–68.
McCrae, R. R., & Costa, P. T. (1987). Validation of the five-factor model of personality across instruments and observers. Journal of Personality and Social Psychology, 52(1), 81.
Mikalef, P., Boura, M., Lekakos, G., & Krogstie, J. (2019). Big data analytics capabilities and innovation: The mediating role of dynamic capabilities and moderating effect of the environment. British Journal of Management, 30(2), 272–298.
Mill, J. S. (1859). On liberty. Broadview Press.
Miller, F. G., & Wertheimer, A. (2011). The fair transaction model of informed consent: An alternative to autonomous authorization. Kennedy Institute of Ethics Journal, 21(3), 201–218.
Millett, L. I., Friedman, B., & Felten, E. (2001). Cookies and web browser design: toward realizing informed consent online. In: Proceedings of the SIGCHI conference on Human factors in computing systems.
Milne, G. R., & Rohm, A. J. (2000). Consumer privacy and name removal across direct marketing channels: Exploring opt-in and opt-out alternatives. Journal of Public Policy & Marketing, 19(2), 238–249.
Obar, J. A. (2020). Sunlight alone is not a disinfectant: Consent and the futility of opening big data black boxes (without assistance). Big Data & Society, 7(1), 2053951720935615.
Obar, J. A., & Oeldorf-Hirsch, A. (2020). The biggest lie on the internet: Ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society, 23(1), 128–147.
O'Flaherty, K. (2018). This is why people no longer trust Google and Facebook with their data. Forbes. Retrieved from https://www.forbes.com/sites/kateoflahertyuk/2018/10/10/this-is-why-people-no-longer-trust-google-and-facebook-with-their-data/#61f2b1f54b09
Ossorio, P. G. (2006). The behavior of persons. Psychology Press.
Oxford English Dictionary. (2019). Oxford English dictionary. Oxford University Press.
Palmer, D. E. (2005). Pop-ups, cookies, and spam: Toward a deeper analysis of the ethical significance of internet marketing practices. Journal of Business Ethics, 58(1), 271–280.
Pantano, E., Dennis, C., & Alamanos, E. (2021). Retail managers’ preparedness to capture customers’ emotions: A new synergistic framework to exploit unstructured data with new analytics. British Journal of Management, 2021, 1–21.
Petty, R. E., & Cacioppo, J. T. (1986). The elaboration likelihood model of persuasion. Advances in Experimental Social Psychology, 19, 123–205.
Plaut, V. C., & Bartlett, R. P. (2012). Blind consent? A social psychological investigation of non-readership of click-through agreements. Law and Human Behavior, 36(4), 293–311. https://doi.org/10.1037/h0093969
Ploug, T., & Holm, S. (2012). Informed consent and routinisation. Journal of Medical Ethics, 39(4), 214–218.
Ploug, T., & Holm, S. (2015a). Meta consent: a flexible and autonomous way of obtaining informed consent for secondary research. BMJ: British Medical Journal. https://doi.org/10.1136/bmj.h2146
Ploug, T., & Holm, S. (2015b). Routinisation of informed consent in online health care systems. International Journal of Medical Informatics, 84(4), 229–236.
Pollach, I. (2005). A typology of communicative strategies in online privacy policies: Ethics, power and informed consent. Journal of Business Ethics, 62(3), 221–235.
Prochaska, J. O., & DiClemente, C. C. (1984). The transtheoretical approach: Crossing traditional boundaries of therapy. Dow Jones-Irwin.
Rawls, J. (1971). 1971: A theory of justice. Harvard University Press.
Rhodes, R. E., Blanchard, C. M., Matheson, D. H., & Coble, J. (2006). Disentangling motivation, intention, and planning in the physical activity domain. Psychology of Sport and Exercise, 7(1), 15–27.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114.
Romanou, A. (2018). The necessity of the implementation of privacy by design in sectors where data protection concerns arise. Computer Law & Security Review, 34(1), 99–110.
Schermer, B. W., Custers, B., & van der Hof, S. (2014). The crisis of consent: How stronger legal protection may lead to weaker consent in data protection. Ethics and Information Technology, 16(2), 171–182. https://doi.org/10.1007/s10676-014-9343-8
Sharif, S. P., & Naghavi, N. (2020). Online financial trading among young adults: Integrating the theory of planned behavior, technology acceptance model, and theory of flow. International Journal of Human-Computer Interaction, 37(10), 949–962.
Siggelkow, N. (2007). Persuasion with case studies. Academy of Management Journal, 50(1), 20–24.
Sim, J., & Wright, C. (2000). Research in health care: Concepts, designs and methods. Nelson Thornes.
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individuals’ concerns about organizational practices. MIS Quarterly, 20(2), 167–196.
Solove, D. J. (2013). Privacy self-management and the consent dilemma. Harvard Law Review, 126(7), 1880–1903.
Stead, B. A., & Gilbert, J. (2001). Ethical issues in electronic commerce. Journal of Business Ethics, 34(2), 75–85.
Tene, O., & Polonetsky, J. (2012). Big data for all: Privacy and user control in the age of analytics. Northwestern Journal of Technology and Intellectual Property, 11, xxvii.
Tsohou, A., & Kosta, E. (2017). Enabling valid informed consent for location tracking through privacy awareness of users: A process theory. Computer Law & Security Review, 33(4), 434–457. https://doi.org/10.1016/j.clsr.2017.03.027
Tymchuk, A. J. (1997). Informing for consent: Concepts and methods. Canadian Psychology-Psychologie Canadienne, 38(2), 55–75. https://doi.org/10.1037/0708-5591.38.2.55
Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un) informed consent: Studying GDPR consent notices in the field. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.
Van Oosterhout, J., Heugens, P. P., & Kaptein, M. (2006). The internal morality of contracting: Advancing the contractualist endeavor in business ethics. Academy of Management Review, 31(3), 521–539.
Van Slyke, C., Shim, J., Johnson, R., & Jiang, J. J. (2006). Concern for information privacy and online consumer purchasing. Journal of the Association for Information Systems, 7(6), 16.
White, M. D. (2004). Can homo economicus follow Kant’s categorical imperative? The Journal of Socio-Economics, 33(1), 89–106.
White, K. M., Smith, J. R., Terry, D. J., Greenslade, J. H., & McKimmie, B. M. (2009). Social influence in the theory of planned behaviour: The role of descriptive, injunctive, and in-group norms. British Journal of Social Psychology, 48(1), 135–158.
Win, K. T. (2005). A review of security of electronic health records. Health Information Management, 34(1), 13–18.
Wright, S. A., & Xie, G. X. (2019). Perceived privacy violation: Exploring the malleability of privacy expectations. Journal of Business Ethics, 156(1), 123–140.
Xu, F., Michael, K., & Chen, X. (2013). Factors affecting privacy disclosure on social network sites: An integrated model. Electronic Commerce Research, 13(2), 151–168.
Yin, R. K. (2009). Case study research: Design and methods (4th ed.). Sage.
Yun, H. J., Lee, G., & Kim, D. J. (2019). A chronological review of empirical research on personal information privacy concerns: An analysis of contexts and research constructs. Information & Management, 56(4), 570–601. https://doi.org/10.1016/j.im.2018.10.001
Funding
No external funding was received to assist with the preparation of this manuscript.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors have no conflict of interest to declare that are relevant to the content of this article.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Burkhardt, G., Boy, F., Doneddu, D. et al. Privacy Behaviour: A Model for Online Informed Consent. J Bus Ethics 186, 237–255 (2023). https://doi.org/10.1007/s10551-022-05202-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10551-022-05202-1