Introduction

In response to COVID-19, various policy strategies were adopted to control community infections (Lu et al., 2020). In doing so, technology has played a significant role in managing and controlling the pandemic situation (Piccialli et al., 2022). Specifically, one of the measures introduced by many countries to control infectious diseases is “contact tracing.“ Contact tracing means the “the process of identifying, assessing, and managing people who have been exposed to a contagious disease to prevent onward transmission.“ (World Health Organization, 2014). The visitor QR (quick response) code system adopted in multi-use facilities is an example of using information and communications technology for personal information collection and tracking, which has become an integral part of quarantine and monitoring strategies (Lee, 2020; Park, 2021). For example, in South Korea, visitor logs at restaurants became mandatory, and individuals’ contact information (i.e., addresses and phone number), and visit time were collected (Kim & Mah, 2020). On the other hand, in the U.S., local governments institutionalized the collection of personal information about customers at multi-use facilities (Houck, 2020). The acquisition and use of personal information are regarded as an inevitable and effective measure to prevent the spread of infection in a pandemic, but at the same time, the need for privacy protection is often overlooked (Bhatt et al., 2022). As a result, user privacy violation incidents increased exponentially during the health crisis (Brough & Martin, 2021).

In fact, privacy concerns are among the most critical issues related to personal information disclosure (PID) (Fox & James, 2021; Gasser et al., 2020; Huang et al., 2020). This topic has been recognized and examined widely since the beginning of the Information Age in the mid-1980s, resulting in active discussion about privacy, accuracy, property, and accessibility (PAPA) related to information use (Bélanger & Crossler, 2011) with a solid theoretical foundation for information privacy (Li, 2012; Bélanger & Crossler, 2011) stated that information privacy could be defined in one way as “a moral right or a legal right” and in another way as “one’s ability to control information about oneself” (p.1018). While the concepts of information privacy may vary, it is clear that privacy issues are many and varied in nature. Therefore, information privacy has been studied not only by Information System (IS) researchers but also by researchers in marketing, management, psychology, and many other fields.

Empirical research has widely applied privacy calculus theory (Culnan & Armstrong, 1999; Dinev & Hart, 2006; Tsai et al., 2011) as a mechanism that explains individuals’ decision-making via the subjective assessment of the trade-off between the benefits and risks associated with information disclosure. Studies on information disclosure have focused on the privacy issue raised by self-disclosure behavior in a variety of research contexts, such as e-commerce transactions (Tsai et al., 2011), electronic healthcare (Bansal & Gefen, 2010), and social media platforms or social networking sites (Chin et al., 2020; Jozani et al., 2020; Sun et al., 2015). However, debates about government-led data collection and personal freedom in the pandemic situation can be understood as a new social phenomenon (Park, 2021). Privacy tracking in a public health crisis is distinguished from the traditional IS usage addressed in extant literature, which has highlighted the factors of perceived benefits and privacy concerns in terms of end-user motivation. In contrast, in the COVID-19 pandemic, first, the individual’s appraisal of the situational threat imposed by the pandemic is likely to formulate their safety-related psychological state, which in turn affects their perceptions on the benefits and risks of privacy disclosure. Second, by providing personal information through the tracking system, individuals have the advantage of timely infection-related information when necessary. The perceived benefits of providing personal information are relevant to mutual safety. Thus, the disclosure of personal information in the special circumstances of a pandemic can be understood not only in terms of a relationship between individual benefits and risk but also as a social behavior consistent with society’s pursuit of the public interest (Lin & Martin, 2020).

Although privacy issues have emerged as a new social problem arising from the tracking systems mandated in multi-use facilities, including restaurants, there has been little research that has adopted a comprehensive conceptual framework encompassing external situational threat, intrinsic benefits and risks, and social and government factors for understanding individuals’ information disclosure through contact tracing tools. Prior research on personal information disclosure mainly emphasized the importance of internal motivators in terms of perceived benefits and risks. There has been insufficient research that verifies situational antecedents for risk and benefit assessment, or social and institutional influences on personal information disclosure. Therefore, the uniqueness of the pandemic situation provides opportunities to refine theories that explain privacy issues. Moreover, this research will help restaurant managers and government authorities understand the restaurant patrons and establish more effective policy regarding information privacy collection.

Accordingly, this study sought to identify factors that affect privacy disclosure from an integrated perspective in the context of restaurants. The relationship between individuals’ perceptions of infectious diseases and their intrinsic factors relating to personal information disclosure were identified to explain behavioral intentions. To theoretically explain the drivers/inhibitors of privacy disclosure and behavioral responses, privacy calculus theory and institutional theory were applied as a conceptual framework in the current research. The privacy calculus model, which suggests that individuals engage in a risk-benefit analysis when sharing information with a vendor, has been adopted in previous studies (Kim et al., 2019; Li et al., 2016). In addition, institutional theory proposes that certain human behaviors are influenced by the environment of the organization as well as by regulatory, cognitive, and normative pressures (DiMaggio & Powell, 1983; Scott, 2004). In our study, external pressure for personal information disclosure at restaurants is imposed by government pressure and subjective norms created among members of society.

Drawing on these theoretical models, the current study aimed to propose and empirically test a research model that explains information privacy behavior for restaurant customers in a pandemic situation. The specific aims of this research were to: (1) identify the influence of perceived severity of and perceived vulnerability to COVID-19 on conflicting intrinsic factors in personal information disclosure (perceived benefit and perceived risk); and (2) examine the effect of intrinsic factors and extrinsic factors (subjective norms and government pressure) on intention to disclose personal information. Our study was conducted with customers who had experienced disclosing personal information in restaurants during the pandemic. As the need for personal information disclosure emerged in multi-use facilities, including restaurants, investigating the awareness of personal information loss in daily life became significant for understanding this new social phenomenon. The results of this study have practical implications for restaurant managers and policy agencies.

Research background

Privacy Calculus Theory

Privacy calculus theory suggests that information privacy-related attitudes and behaviors are determined by individuals’ evaluations of the benefits and risks associated with the provision of personal information (Culnan & Armstrong, 1999; Dinev & Hart, 2006) argue that individuals anticipate and evaluate the privacy-related risks and benefits of disclosing personal information when they encounter a situation that requires the provision of potentially sensitive and private information. Extant literature has suggested that individuals are less likely to share personal information when they are concerned about information privacy (Culnan & Armstrong, 1999; Li et al., 2010). As people tend to withhold their private information, other motivators are necessary to encourage them to provide it (Smith et al., 2011). Prior research on privacy found that people were willing to disclose personal information in exchange for some economic or social benefit, subject to the ‘privacy calculus,’ a subjective assessment of whether their personal information would subsequently be used fairly and they would not suffer negative consequences (Culnan & Armstrong, 1999).

According to privacy calculus theory, perceived risk is uncertainty concerning the potential invasion of privacy as a result of personal information disclosure (Dinev & Hart, 2006). Perceived privacy risks include information sensitivity (Yang & Wang, 2009), privacy concerns (Bansal & Gefen, 2010), and legislative protection (Li et al., 2016). The perceived benefits, the other construct of privacy calculus theory, refer to a wide range of financial and non-financial incentives as consequences of sharing personal information (Smith et al., 2011). Benefits include the disclosure of public goodness (Nabity-Grover et al., 2020) and individual-organization trust (De Wulf et al., 2001; Gefen & Heart, 2006; Wang et al., 2017) found that individuals gave more weight to social rewards than financial rewards with regard to self-disclosure intention.

The degree of benefits and risks perceived by individuals in a particular situation may differ depending on past experience (Dienlin & Metzger, 2016), or the purpose and the context of social transactions (Liu et al., 2014). The privacy calculus can also be influenced by an individual’s subjective value, and it serves as a personal or internal motivation in the decision-making process (Li, 2012). Privacy calculus theory has been applied in a variety of research contexts, such as location-based social network services (Sun et al., 2015), mobile applications (Morosan & DeFranco, 2015; Wang et al., 2016), electronic health records (EHRs) (Dinev et al., 2016), mobile location-based advertising (Gutierrez et al., 2019) and IoT services (Kim et al., 2019). Within this literature, scholars have largely agreed that privacy is situational and significantly contextual.

These studies suggest that in the pandemic situation in which personal information is used by national health agencies to conduct contact tracing to prevent infection in local communities, individuals’ privacy perceptions may be different than in other contexts (e.g., use of e-commerce and SNS). Given the unprecedented circumstances presented by the COVID-19 pandemic, the disclosure of personal information is a crucial component in containing the spread of infection (Gasser et al., 2020). In this context, the privacy calculus theory postulates that individuals compare the benefit of receiving information about being in contact with infected individuals with the risk of a loss of control over their personal information or misuse by government or private organizations. With the pandemic threat, there has been widespread acceptance of tracking technology, and a relatively low public perception of concern about providing personal information has been found (Lewandowsky et al., 2021). However, Jung et al., (2020) emphasized that despite the advantage of reducing the spread of infection by locating infected persons, there could be serious privacy problems if personal identification occurs. The perceived benefits for public health and the credibility of authorities’ privacy protection policies have a positive effect on the disclosure of personal information (Hassandoust et al., 2021). Privacy calculus factors (benefit and risk) can explain the mechanism of behavior for privacy disclosure in the current restaurant contexts, a new social phenomenon, and are expected to present meaningful results.

Institutional Theory

While the term ‘institution’ has been defined differently, it generally refers to a basic framework constituting a set of norms, rules, and beliefs (North, 1990). Institutional environments may endogenously influence organizations through the archetypes they develop for actors, the logic they legitimate, and the governance system and rules of social activities they support. In other words, organizational decisions are not only driven by individuals’ rational goals but also by social and cultural factors and concerns about legitimacy (Scott et al., 2000). With respect to institutional theory, Scott (1995) classified a country’s institutional environment into three dimensions: regulatory, cognitive, and normative. The regulatory dimension refers to the rules and laws accountable for the stability of society. The cognitive dimension contains the cognitive structures and mechanisms in a society that are taken for granted. Lastly, the normative dimension covers the social and cultural values and norms in society (Yiu & Makino, 2002).

In further developing the model, DiMaggio & Powell (1983) identified three mechanisms through which institutional members engage in similar decisions and behaviors: (1) coercive isomorphism, (2) mimetic isomorphism, and (3) normative isomorphism. Coercive isomorphism emerges as a result of formal and informal pressure exerted by governments and institutions. Regulatory bodies impose legal and administrative sanctions to introduce specific behaviors or standards (Kostova, 1997; Scott, 1995), and individuals are coercively encouraged to comply with social standards (García-Sánchez et al., 2016). Mimetic isomorphism can be understood as an effort to respond to uncertainty and produce good results by imitating the decision-making and actions of a role model or a leader within an organization (Shi et al., 2008). Finally, normative isomorphism refers to the process of rationalizing and theorizing new operating standards until members take them for granted (Strang & Meyer, 1993). Specific cases within an organization may change the principles that are applicable to the entire organization, i.e., behavioral patterns can be rationalized, and homogeneity among all members can be achieved (Suchman, 1995).

Empirical studies of institutional theory have examined the influence of pressure within organizations on operation methods and people’s intention to accept specific technologies. Coercive pressure, normative pressure, and mimetic pressure have been measured and research has verified that these pressures influence the diffusion rate of operating methods within organizations (Burns & Wholey, 1993; Lee & Pennings, 2002). Furthermore, IS researchers have verified that institutional forces affect the use or adoption of new technology in organizations (Gibbs & Kraemer, 2004; Soares et al., 2020), such as enterprise resource planning (ERP) system (Liang et al., 2007), electronic procurement systems (EPSs) (Soares-Aguiar & Palma-dos-Reis, 2008), and EHRs (Sherer et al., 2015).

The disclosure of personal information in the context of a pandemic is considered to be more than an individual’s calculus of privacy risk-benefit; it is also motivated by external factors, such as normative pressure on social actors or coercive pressure from government (Lin & Martin, 2020). Individuals within an organization tend to harmonize with their surroundings to resolve uncertainty and constraints, and social homogeneity itself can act as a crucial external motive factor in the decision-making process (Sherer et al., 2015). While institutional pressure includes three types of pressures, Scott (2005) suggests that special attention should be paid to “regulatory” and “normative” pressures, focusing on the targets under which they are applied. Wang et al., (2018) also classified institutional pressures affecting environmental management practices into regulatory pressures and normative pressures. Considering each pressure is context-specific (Berrone et al., 2013), the pressures in this study can be largely divided into social and governmental Therefore, in this study, institutional pressure was composed of subjective norms for society members and coercive pressure from government regulations.

In summary, by applying the privacy calculus theory and institutional theory discussed above, this study presents a conceptual model as shown in Fig. 1. The subjects of this study were customers who had experience in disclosing personal information in restaurants, and we sought to identify the importance of the factors that led to personal information disclosure behavior. The current study also defined the relationship between individual threat appraisal and privacy calculus factors as ‘situational privacy calculus’, and tried to explain the mechanisms for threat appraisal, drivers/inhibitors, and behavior.

Fig. 1
figure 1

Conceptual model

Hypothesis Development and Research Model

Research Model

Figure 2 demonstrates the research model, which consists of eight main hypotheses derived from the literature discussed in the previous section. The model explains the structural relationships between threat appraisal of COVID-19, the drivers and inhibitors of PID, and intention to disclose. The following variables were included in the research model to ensure an accurate evaluation of intention to disclose PI (Personal Information): years of smartphone use; and the number of personal information disclosures. Prior studies have verified that individuals with frequent experiences of privacy disclosure are less sensitive about their personal information (Lang et al., 2018). In a similar vein, given that privacy-related issues have become a significant issue owing to the development of ICT and the high frequency of privacy-providing experiences using mobile devices in the pandemic situation (Cha et al., 2021), we also considered that the duration of smartphone usage would affect personal information disclosure intentions.

Fig. 2
figure 2

Research Model. Note: PID = Personal Information Disclosure

Perceived Severity and Vulnerability toward Privacy Calculus Factors

Threat appraisal refers to the individual’s cognitive assessment of the relevant external threats (Maddux & Rogers, 1983). This concept has been articulated further based on perceived severity, which refers to the degree of seriousness of the consequences from the negative event imposing the threat, and perceived vulnerability, which means the magnitude of susceptibility felt by the individual to the threat (Rogers, 1975). The protection motivation framework (Wurtele & Maddux, 1987) postulates that a high threat appraisal leads to elevated self-protection against the impending threat (Wang et al., 2019).

Applying this framework in the context of the COVID-19 pandemic, Bashirian et al., (2020) reported that healthcare workers’ threat appraisal (perceived severity and perceived vulnerability) affected their protection motivation with regard to COVID-19 preventive behavior. Similarly, Ezati Rad et al., (2021) reported that COVID-19 protection motivation was significantly and positively correlated with perceived severity and perceived vulnerability. This heightened health motivation is expected to affect the likelihood of engaging in the recommended behaviors for health protection. To lend support, Itani & Hollebeek (2021) showed that travelers’ threat appraisal (perceived severity and perceived susceptibility) positively affected their social distancing behavior, which in turn influenced their intention to use virtual reality-based (vs. in-person) attractions. In the same vein, people who have a high perception of COVID-19 threats consider continuously using social distancing practices (Sreelakshmi & Prathap, 2020). In other words, these previous studies suggest that a perceived high threat to health by an individual induces protective motivation, and ultimately affects the individual’s decision-making process (Brewer et al., 2004; Maiman & Becker, 1974).

The collection and utilization of personal information by the government or health authorities can be effective in preventing the spread of infection (Ienca & Vayena, 2020). Personal information is used to track and identify people exposed to COVID-19, and, in such a pandemic situation, the provision of personal information can be viewed as a protective action against threats to individual safety. Further, when the perceived threat is more severely appraised, it is more likely that individuals will take protective actions, as they perceive the benefits of such behavior more positively. Risks associated with information disclosure have also been recognized. Lewandowsky et al., (2021) probed the public’s attitude towards potentially privacy-encroaching options, such as tracking technology and immunity passports to combat the pandemic. They explained that perceived harm from COVID-19 offsets the risks to individual privacy from a privacy calculus perspective. According to this argument, the larger the perceived threat, the smaller the perceived risk of personal information disclosure. Tran & Nguyen (2021) also explained the use of contact tracing applications as a precautionary behavior against the virus, verifying that health risks positively influenced the perceived value. Therefore, it is likely that the threat appraisal is positively related to the perceived benefit of personal information disclosure in a pandemic situation. Based on prior research, we propose the following hypotheses.

H1a. In a pandemic situation, perceived severity has a positive effect on the perceived benefit of PID.

H1b. In a pandemic situation, perceived severity has a negative effect on the perceived risk of PID.

H2a. In a pandemic situation, perceived vulnerability has a positive effect on the perceived benefit of PID.

H2b. In a pandemic situation, perceived vulnerability has a negative effect on the perceived risk of PID.

Perceived Risk and Benefit toward Personal Information

Drawing on the privacy calculus perspective, this study defines perceived benefit as the degree of positive safety-related consequences of personal information disclosure, and the perceived risk as the predicted degree of privacy loss from personal information disclosure. With respect to perceived risks and perceived benefits, which explain individuals’ conflicting views on information provision (Dinev & Hart, 2006), people perform a costs (risks)-benefits analysis of information disclosure based on the specific circumstances of IS adoption.

For example, in the context of mobile applications usage, Wang et al., (2016) proposed that privacy is relinquished to some extent for the anticipated benefits of using the applications. Therefore, it is possible to postulate that benefits from the app, such as convenience, personalization, entertainment, or other rewards, are likely to lead to its adoption. With respect to information provision in the pandemic situation, Sharma et al., (2020) have reported that favorable expected outcomes influence attitudes toward COVID-19 digital contact tracing applications, while privacy concerns have a negative impact. Hassandoust et al., (2021) also verified that risk, privacy concerns, and benefits to public health affected the intention to install a contact tracing mobile application. When individuals’ perception of a benefit exceeded the privacy risk loss, they were willing to surrender personal information even if their personal information was sensitive (Li et al., 2016). Based on these previous findings, the current research established the following hypotheses concerning the disclosure of personal information in a pandemic situation:

H3. In a pandemic situation, the perceived benefit of PID has a positive effect on PID behavior.

H4. In a pandemic situation, the perceived risk of PID has a negative effect on PID behavior.

Subjective Norms and Government Pressure for Personal Information Disclosure

The disclosure of personal information in a pandemic context can be understood not only as a trade-off relationship between the individual’s privacy benefit and risk, but also in terms of the normative pressure on social actors or coercive pressure from government (Lin & Martin, 2020). Accordingly, in our study, institutional pressure on personal information disclosure was divided into subjective norms and government pressure within the country’s institutional environment.

The institutional force model has been applied to explain the role of external forces (such as social norms or regulatory pressure) on the adoption of information systems and technologies, such as supply chain management system or enterprise applications (Kokkonen et al., 2013; Liang et al., 2007; Tsai et al., 2013). For example, Gibbs & Kraemer (2004) verified that environmental factors (external pressure, government promotion, and legislation barriers) are directly associated with the scope of e-commerce use. In a similar vein, Sherer et al., (2015) reported the impact of the institutional influence of government policies and industry norms on the adoption of EHRs.

The theory of planned behavior (Ajzen, 1991) also asserts that subjective norms influence behavioral intentions. With regard to information technology adoption, researchers have validated subjective norms as an antecedent to behavioral intentions (Bock et al., 2005; Kaushik et al., 2015; Ozkan & Kanat, 2011). In the context of information privacy issues, subjective norms as a socially related factor in disclosure behavior are positively related to behavioral intention to use a website (Kaushik et al., 2018). Therefore, it is logical to conclude that the stronger the group standards, the more justifiable certain behaviors are among the social community members. Based on the above literature, this research hypothesized that subjective norms and government pressure relating to PID are significantly related to intention to disclose PI. Thus, the following two hypotheses were suggested:

H5. In a pandemic situation, subjective norms relating to PID have a positive effect on PID Behavior.

H6. In a pandemic situation, government pressure relating to PID has a positive effect on PID Behavior.

Research Method and Analysis

Survey measures

To avoid measurement inaccuracies, previously validated multi-measurement items were used in the questionnaire (Churchill Jr,, 1979) after adapting them to the context of the current study. Initially, the survey questions included 27 items for seven constructs: perceived severity, perceived vulnerability, perceived risk of PID, perceived benefit of PID, subjective norms relevant to PID, government pressure relating to PID, and PID behavior in the pandemic situation. Perceived severity was assessed using four items derived from Prasetyo et al., (2020). Perceived vulnerability was assessed using 4 items derived from Prasetyo et al., (2020) and De Zwart et al., (2009). To assess the perceived risk of PID in the pandemic situation, four items were adapted from research conducted by Morosan & DeFranco (2015) and Xu et al., (2011). For the perceived benefit of PID, four items were developed based on prior research (Dinev et al., 2013, 2016) in the context of the pandemic situation. To measure the subjective norms relating to PID, three items were drawn from Sledgianowski & Kulviwat (2009). To assess government pressure relating to PID in the pandemic situation, four items were drawn from Ahmadi et al., (2017) and Krell et al., (2016). Lastly, four items were adapted from prior research (Bansal & Gefen, 2010) to measure PID behavior.

Data collection

The unit of analysis for this study was individuals in South Korea, the United States (US), and the United Kingdom (UK) who had experienced the disclosure of personal information via QR codes and hand-written entry logs in restaurants. Considering the pandemic situation, this study conducted a survey on residents in South Korea (a representative Eastern country), the United Kingdom and the United States (Western countries), which are actively using ICT to prevent COVID-19 infection (Whitelaw et al., 2020). Data collection through an online survey for respondents in South Korea was performed from December 23 to December 31, 2020, and in the US and the UK, it was performed from January 4 to January 5, 2021. Seven-point Likert-type scales were used for high reliability and discriminant validity (Cicchetti et al., 1985). The participants were asked to indicate the extent to which they agreed or disagreed with each of the 27 items (1 = strongly disagree and 7 = strongly agree). In addition, the survey contained two items associated with past experience of PID in the pandemic situation (i.e., number of experiences disclosing PI, and the preferred way to disclose personal information), and eight questions related to socio-demographics (i.e., age, gender, occupation, marital status, education, monthly income, country of residence, and number of years using smartphones). The measurement was originally designed in English and then translated into Korean by two professionals who are proficient in English and Korean. The Korean version was then back-translated into English, and some discrepancies were remedied between the English and Korean expressions. Two scholars whose native language is Korean evaluated the content validity of the survey questions. As a pilot test, the questionnaire was administered to four students majoring in hospitality management. A pretest was administered to 57 participants with the assistance of a marketing company. This procedure found no material discrepancies.

An online survey was considered to be a particularly appropriate data collection method in the pandemic situation. Access to potential respondents in South Korea was obtained through a reputable marketing research firm (Macromill Embrain, www.embrain.com), and a quota sampling approach was implemented. Access to potential participants in the US and the UK was obtained in a similar manner through a marketing research firm (Prolific, https://www.prolific.com) using a convenience sampling method. In a screening question purposely designed for the survey, all subjects were asked to indicate whether they had experienced disclosing personal information in a restaurant in the pandemic situation (i.e., “How many times have you experienced personal information disclosure in a restaurant in the pandemic situation?”).

Data analysis

Sample Characteristics

A total of 475 usable surveys were completed: 311 from South Korea, 89 from the US, and 75 from the UK. Female respondents accounted for 49.9% of the overall sample. Approximately 26.5% of the respondents were between 30 and 39 years of age, 23.6% were between 20 and 29, and 21.3% were between 40 and 49. About 49.3% of the respondents held a bachelor’s degree, 18.7% had master’s degrees, 16.6% held a trade/vocational/college degree, and 15.4% had secondary school qualifications or below. About 48.2% of the respondents had more than 10 years of experience using smartphones, 34.9% had 5 to 10 years of experience, 9.1% had less than 3 years of experience, and 7.8% had 3 to 5 years of experience in using a smartphone. Regarding personal information disclosure experiences in the pandemic situation, 41.9% had more than 10 disclosure experiences, 24.2% had one or two disclosure experiences, 21.1% had three to five disclosure experiences, and 12.8% had six to nine disclosure experiences. Approximately 63.2% of the respondents were found to prefer QR codes, and 36.6% of the respondents preferred handwritten entry logs when using restaurants in the pandemic situation. The respondents’ detailed demographics are reported in Table 1.

Table 1 Demographics. (n = 475)

Measurement Model

This study employed partial least squares–structural equation modeling (PLS-SEM) analysis to examine the proposed measurement and structural model and test the proposed hypotheses. The PLS-SEM technique was used instead of CB-SEM procedures because of the research objective, which addressed the new context of the pandemic situation (Hair Jr ,et al., 2021). PLS-SEM uses the residual variance of the latent variables, and its main object is predicting key target variables (Fornell & Bookstein, 1982). Considering the current study was primarily prediction-oriented, we chose to use PLS-SEM analysis.

Because respondents were asked to rate all survey questions at once, common method variance was a potential issue. Therefore, Harman’s single-factor test as a post hoc statistical test was performed to confirm whether common method bias was present in the resultant data set (Harman, 1967). We subjected all 27 measurement items to an exploratory factor analysis (EFA), and unrotated factor solutions were examined. In this process, when a single factor appears or when one factor accounts for more than 50% of the variance of the variables, there is an issue of common method bias (Podsakoff et al., 2003). The EFA results delineated seven variables (Eigenvalue > 1) and each dimension explained 4.425–32.001% of the covariation among the measures. As none of the factors accounted for more than 50% of the covariation, it was concluded that the measures in this study did not have a serious common method bias problem.

The analysis first assessed the measurement model through the validity and reliability of the constructs. Convergent validity was evaluated the strength and significance of the loadings, the average variance extracted (AVE), and the reliability estimates (Bagozzi & Heatherton, 1994). As Table 2 shows, all loadings were satisfactory, and all AVEs were greater than 0.50, exceeding the suggested threshold (Fornell & Larcker, 1981). Taken together, the results provide strong evidence for convergent validity. Next, construct reliability was assessed via internal consistency and indicator reliability. Internal consistency was evaluated with Dillon-Goldstein’s rho, which does not assume parallelity of the manifest variables as Cronbach’s alpha does. All factors achieved satisfactory reliability (Cronbach’s alpha > 0.70), and Dillon-Goldstein’s rho value ranged from 0.875 to 0.967 (Table 2). Finally, discriminant validity was established on the basis of the heterotrait–monotrait ratio of correlations (HTMT), a procedure superior to the commonly considered criterion (Fornell & Larcker, 1981), and by the assessment of cross-loadings (Henseler et al., 2015). The results showed that all HTMT values of the latent variables were below the critical and conservative value of 0.85 (Table 3). The results demonstrated that, overall, the scales were valid and reliable measures of their respective constructs.

Table 2 Measurement Item Properties
Table 3 Heterotrait-Monotrait Ration of Correlations (HTMT)

Testing of the Hypothesized Structural Model

The multicollinearity of each independent variable was diagnosed using the variance inflation factor (VIF). Because all values for VIF fell between 1.004 and 1.848, multicollinearity was not an issue in this research. The corrected R2 values refer to the explanatory power of predictor variables onto the respective constructs. To estimate the accuracy of the structural framework, the R2 of variance explained for the perceived risk of PID (0.004), perceived benefit of PID (0.13), and intention to disclose personal information (0.548) were calculated as predictive powers. In addition to the R2 analysis, Stone-Geisser’s Q2 value (Stone, 1974) was calculated to assess the predictive relevance of the model in this study. Q2 evaluates the predictive validity of a model by skipping some indicator values using calculated parameters. The difference between the skipped data points and the predicted ones is the basis for the Q2 calculation (Chin et al., 2008). Q2 shows how well the empirically collected data can be reconstructed with the help of the model and PLS parameters produced in the initial analysis. A Q2 greater than 0 means that the model has predictive relevance, while a Q2 of less than 0 is interpreted as lacking predictive relevance. The Q2 for the perceived risk of PID, perceived benefit of PID, and intention to disclose personal information were 0.006, 0.106, and 0.432, respectively, indicating acceptable predictive relevance. To determine whether there were demographic influences on the research model, this study tested years of smartphone use, and the number of PI disclosures as control variables, using 5,000 bootstrapping resamples in PLS-SEM.

Figure 3 shows the results of the structural relationships hypothesized in this research, as well as the control variables. Among the control variables considered in this study, the number of PI disclosures had a strong positive effect on the intention to disclose. This result can be understood in a similar context to the previous literature, in that with more experiences of disclosing personal information, repetition of such actions became more likely (Lang et al., 2018). On the other hand, the duration (years) of smartphone use was not related to the intention to disclose. These results indicate that the analytical data supported the proposed hypotheses, with the exception of H1b and H2b. As shown in Fig. 3, six main hypotheses were supported.

Specifically, perceived severity was found to significantly influence perceived benefit of PID (H1a: β = 0.295, t value = 5.684, p < 0.001). Additionally, perceived severity was not significantly affected by perceived risk of PID (H1b: β = -0.087, t value = 1.552). Meanwhile, perceived vulnerability significantly influenced perceived benefit of PID (H2a: β = 0.131, t = 2.604, p < 0.01), and did not influence perceived risk of PID (H2b: β = 0.086, t value = 1.412). Intention to disclose PI was affected by perceived benefit of PID (H3: β = 0.34, t value = 8.235, p < 0.001), perceived risk of PID (H4: β = -0.105, t value = 3.21, p < 0.01), subjective norms on PID (H5: β = 0.159, t value = 3.099, p < 0.01), and government pressure on PID (H6: β = 0.332, t value = 5.76, p < 0.001). That is, the strongest influence on information disclosure was the perceived benefit of PID, followed by government pressure and subjective norms. Furthermore, we verified that the perceived risk of disclosure was a major inhibitor on personal information disclosure in the pandemic situation.

Fig. 3
figure 3

Result of the structural model. Note: PID = Personal Information Disclosure

*p < 0.05, **p < 0.01, ***p < 0.001

Discussion and implications

Discussion

Despite the ongoing personal information disclosure issue in the pandemic situation, in-depth research on individual adoption behavior is insufficient, especially in the restaurant context. Several key findings from the analysis are worth noting. First, it was confirmed that threat appraisal (perceived severity and perceived vulnerability) affects the perceived benefit of PID. In other words, the greater the awareness of virus threats in epidemics, the higher the perception of privacy benefits related to personal safety protection. Also, this study verified the influence of four factors of PID on behavior intention. We verified that perceived benefit was the most influential factor on intention to disclose. It was demonstrated that the perception of the benefit related to individual safety was the most influential factor in the pandemic situation. In the context of COVID-19, individuals can contribute to quarantine policies by allowing the activation of contact tracing. In this process, individuals are willing to voluntarily share their personal information and movement history in return for the significant assurance that they are protected by obtaining information on local infections. In this regard, Hassandoust et al., (2021) showed that the perceived benefit of contact tracing had a stronger influence on the intention to install contact tracing apps than privacy risk beliefs did. Moreover, we verified that subjective norms and government pressure, considered extrinsic factors, are also significant factors influencing PID behavior. Since contact tracing is closely related to public interests in pandemic situations, it can be a crucial issue for individuals to feel a sense of legitimacy and necessity when disclosing personal information (Hartley & Jarvis, 2020).

A post-hoc analysis: The moderating effect of cultural difference

Given that COVID-19 and privacy issues are common worldwide, we consider it meaningful to understand differences in privacy-related motivators/inhibitors and behaviors for different cultural backgrounds (individualist versus collectivist culture). Accordingly, a post-hoc analysis was performed. A multi-group analysis was conducted to examine the influence of cultural differences on the disclosure of personal information between two groups – an individualist culture (as in the US and the UK) versus a collectivist culture (South Korea) determined by referring to the measures of individualism-collectivism in Hofstede’s dimensions. According to Hofstede Insights (2021), the individualism values for South Korea, the UK, and the US were 18, 89, and 91, respectively. As shown in Table 4, the paths from perceived risk and intention to PID behavior were significantly stronger in the US and UK groups than in the South Korean group (difference = 0.15, p < 0.05); however, for the other paths, differences between the South Korean group and the US and UK groups were not significant.

IS researchers have verified that there are differences in information privacy concerns based on cultural differences (Bellman et al., 2004). Specifically, Dinev et al., (2006) investigated cross-cultural differences in beliefs related to e-commerce use in Italy and the US. They found a strong moderating effect between perceived risks and e-commerce use in individualist cultural groups (US). The results of post-hoc analysis also show that individualist countries tend to be more sensitive to privacy risks.

Table 4 PLS Multigroup Analysis for Two Groups

Implications for research and practice

This study contributes to individuals’ privacy-related literature in several ways. First, this study applied the protection motivation theory (Wurtele & Maddux, 1987) to better understand customer privacy calculus in pandemic situations. Specifically, by verifying the relationship between protection motivation factors (i.e., perceived severity and perceived vulnerability) and perceived benefit, we established that restaurant customers perform a “situational privacy calculus” when they disclose their privacy. Second, this study tried to embody and redefine perceived benefits to clarify privacy disclosure behavior. This study sought to understand individuals’ health-related benefits of contact tracing and further verified that it is a strong motivator of privacy disclosure behavior. This study differs from information privacy studies focused on individual financial and non-financial benefits before COVID-19, and enables a better understanding of the central variables of privacy calculus under health-threatening situations. Third, this study adopted institutional theory to verify the institutional impact on privacy disclosure. While many previous studies have distinguished between internal and external dimensions, the current study took a more comprehensive approach to understanding the situation. In particular, applying two theories to confirm the verification of intrinsic and extrinsic factors is considered of academic value as an approach to the theoretical integration of structural frameworks.

Since the pandemic’s start, governments, health authorities, and stakeholders involved in the fight against the virus have relied on data analytics and digital technologies to address the threat (Xiang, 2021). The use of personal information has been evaluated as a necessary measure to prevent the spread of the pandemic, but various efforts are required to minimize social problems related to privacy protection. Importantly, this study suggests meaningful implications for restaurant operations in similar circumstances and conditions worldwide. Although consumers are also very concerned about the safety and hygiene environment of multi-use facilities, they overwhelmingly desire to visit restaurants even during pandemic circumstances (Alt, 2021). Therefore, it seems necessary to continue discussions with government and health authorities about how restaurant businesses can manage the pandemic situation with respect to privacy protection as well as the physical safety of restaurant customers, based on the results of this study. More specifically, there is a need to devise ways to address two types of concerns (virus threat and privacy risk) perceived by restaurant customers in the current situation.

The following practical suggestions are presented based on the results of this study: First, to promote the benefits of privacy disclosure in the pandemic, the role of government and health authorities is believed to be crucial. Based on our results, it should be recognized that in extreme threat situations, the individual can perform situational privacy calculus that prioritizes individual health. Accordingly, the government should specifically present the purpose of “preventing the spread of infectious diseases” in health-threat situations and promote the health-related benefits of disclosing privacy. For example, efforts such as presenting phrases emphasizing the threat of infectious diseases on the QR system, continuously updating health-related information processed by disclosing personal information on government websites, and promoting public access are required.

Second, measures should be sought to induce disclosure of personal information by emphasizing the legitimacy of the government’s policy measures and the prevailing social norms. Considering that the subjective criterion for PID is a strong motivation, the government should devise ways to make restaurant customers aware of their social and moral obligation to disclose personal information. Specifically, such approaches should clearly present the influence of PID behavior on society beyond individual interests and emphasize that it is socially justified at a normative level. Furthermore, considering that government pressure is also a crucial factor driving behavior, thorough and strict legal action by the government against the inappropriate disclosure of personal information is also required.

In addition, the relationship between privacy risk and PID behavior was significant in the pooled sample (i.e., South Korea, the US and the UK), but the post-hoc analysis showed that the result was driven by the US and UK group, i.e., in the multi-group analysis, the negative relationship was significant only for the US and UK group. Thus, in the case of individualist culture countries, in particular, there is a need for restaurant managers to make efforts to reduce concerns about privacy loss in the process of collecting personal information. For example, thorough training for restaurant employees is required to prevent exposure of personal information by other customers or restaurant employees during the collection process. Although individuals habitually disclose personal information, and their perception of privacy is changing, new social problems are rapidly increasing due to the loss of privacy. In this situation, the perception that customers’ private information is being collected and managed for an appropriate purpose will increase their willingness to visit the restaurant despite disclosing their privacy.

Limitations and future research

Although the results of this research provide pertinent contributions, this research has several limitations that suggest future study directions. First, the respondents’ evaluation of threat appraisal was investigated at a specific point in time. Future research could consider a comparative study with longitudinal measurements to better understand threat situations. In addition, this study, and research applying the privacy calculus model in general, have focused on the initial transaction level, which did not consider the customers’ long-term intentions. On the other hand, social exchange theory suggests how perceived costs and benefit calculus are applied in the perspective exchange relationship. Considering this approach, further research is needed to explore these exchange relationships through longitudinal experiments rather than verifying only independent relationships at particular points in time. In addition, future research should expand beyond the cultural dimensions of individualism/collectivism used in this study and examine other individual traits (e.g., the big five personality traits) as moderating variables. It could provide a valuable extension to examining individuals’ behavior with regard to personal information disclosure in the context of a pandemic.

Conclusion

With the global spread of COVID-19, contact tracing through personal information is being used or explored in a growing number of countries, despite concerns about individual privacy and state surveillance. Although many studies have been conducted, there remains a need for more in-depth research on personal information disclosure in the context of a pandemic. To bridge this gap, this research identified the factors that encourage people to disclose their personal information in restaurants from the perspective of contextual privacy calculation and institutional effects. Specifically, this study examined the threat appraisal of COVID-19, drivers and inhibitors of personal information disclosure, and information privacy behaviors by applying privacy calculus theory (Culnan & Armstrong, 1999) and institutional theory (DiMaggio & Powell, 1983). This research developed and tested a theoretical framework for the relationships between threat appraisal, the drivers and inhibitors of PID, and behaviors relating to disclosing personal information. As a result, it was confirmed that restaurant customers performed situational privacy calculus, and the intrinsic/extrinsic factors affected privacy disclosure behavior. In addition, we verified that there are differences in factors that affect privacy behavior according to cultural differences through post-hoc analysis. Specifically, in the case of individualist culture (as in the US and the UK), even in a pandemic situation, it was found that there was a strong negative relationship between privacy risk and privacy disclosure behavior. As previously discussed, understanding these cultural differences provides essential insights to each government or health authority in a position to regulate customers’ information privacy to guide policy direction. In summary, this current study provides a contribution by adding a new “what (collecting personal information for virus contact tracing)” to an existing theory in order to describe “how (threat appraisal, drivers and inhibitor of personal information disclosure)” the relationship unfolds and “when (in the pandemic situation).“, or “for whom (country of residence; cultural difference)” the relationships are likely to be manifested (Whetten, 1989).