Can privacy concerns for insurance of connected cars be compensated?

Internet-of-things technologies enable service providers such as insurance companies to collect vast amounts of privacy-sensitive data on car drivers. This paper studies whether and how privacy concerns of car owners can be compensated by offering monetary benefits. We study the case of usage based car insurance services for which the insurance fee is adapted to measured mileage and driving behaviour. A conjoint experiment shows that consumers prefer their current insurance products to usage based car insurance. However, when offered a minor financial compensation, they are willing to give up their privacy to car insurers. Consumers find privacy of behaviour and action more valuable than privacy of location and space. The study is a first to compare different forms of privacy in the acceptance of connected car services. Hereby, we contribute to more fine-grained understanding of privacy concerns in the acceptance of digital services, which will become more important in the upcoming Internet-of-things era.


Introduction
As mobile and sensor technologies are becoming omnipresent, the vision of connected cars is unfolding (Fleisch et al. 2014;Gerla et al. 2014). By connecting cars to the Internet, vast amounts of data can be collected on mileage and driving behaviour (Paefgen et al. 2012). Service providers can utilize such data to offer value-added services like traffic safety, vehicle diagnostics, preventive maintenance and advanced real time navigation (Leminen et al. 2012). Connected cars also enable actors in the car industry to engage new methods for customer relationship management, (proximity) marketing and after-sales services (Tenghong et al. 2012).
However, collecting vast amounts of data from connected cars creates privacy and ethical hazards. In general, privacy concerns negatively affect the intention to use digital services (Malhotra et al. 2004;Miyazaki and Fernandez 2001). Service providers can compensate privacy concerns by offering convenience or monetary rewards as has been shown for ecommerce services (Hann et al. 2007;Laudon 1996;Li et al. 2010). However, sensitivity of disclosed personal data will be substantially higher for connected car services than traditional electronic services as highly detailed habits and mobility patterns can be inferred. Since sensitivity of disclosed personal data has a significant positive effect on related privacy concerns (Bansal and Gefen 2010), the question arises whether and how such elevated privacy concerns can still be compensated by service providers. This paper studies if and how privacy concerns for connected car services can be compensated financially. We study this issue through a discrete choice experiment in which the buy-off value of different types of privacy risks is evaluated. We define privacy as Ban interest that individuals have in sustaining a 'personal space' free from interference by other people and organizations^ (Clarke 1999). As a case to study JEL classification L86 this issue, we focus on usage based insurance services (Handel et al. 2014). Insurance services are especially relevant as privacy concerns regarding the insurance industry and its online platforms are already high. Specifically, we consider usage based insurance services for which the insurance fee is based on actual car use. Differentiating insurance fees based on car use is relevant since damage risks are correlated to the amount of driven kilometres (Vonk et al. 2003) as well as driving behavior (Lajunen et al. 1997). Usage based insurance services are starting to emerge on the market that utilize not only GPS-data but also motion sensors to measure car acceleration/ deceleration and driving behavior. Usage based insurance services are a suitable research object since they raise privacy concerns (Troncoso et al. 2011).
Section 2 provides the background of the study, followed by an overview of the mobile insurance domain in Section 3. Section 4 provides the method, followed by results in Section 5. Section 6 discusses the findings and concludes the paper.

Theoretical background Privacy as an interest
Academic discourse on privacy takes place in different schools with each their own assumptions (Bennett 1992). Initial notions on privacy have been made over 2000 years ago, most notably Aristotle's distinction between the public sphere of political activity and the private sphere associated with family and domestic life. Innovations like photography and newspapers instigated modern debates on privacy in the last part of the 19th century.
Traditionally, privacy has been conceptualized as a right to control over information about oneself. Westin (1968) defines privacy as the ability of individuals to determine for themselves when, how, and to what extent information is communicated to others. Westin further elaborates on four states (solitude, intimacy, anonymity and reserve) and four functions of privacy (personal autonomy, emotional release, self-evaluation, and limited and protected communication). The four states indicate how different size units (individual and groups) are involved in the privacy phenomena and how the setting influences the concept of privacy. The four functions describe multiple modes to act regarding privacy, which may vary over time and per setting. Altman (1975) elaborated further on this non-monotonic view on privacy to explain why people sometimes prefer to be left alone but at other times like to engage with others. He defines privacy as a dialectic and dynamic boundary regulation process which allows a selective control of access to the self or to one's group.
While the previous conceptualizations assume privacy is a right, an alternative view is to consider privacy as a moral value. In this view, privacy is defined as a condition of not having undocumented personal information known or possessed by others (Parent 1983).
More recently, utilitarianists have conceptualized privacy as an interest rather than an absolute right. Clarke (1999) considers privacy as a thing that people like to have. Clarke (1999) defined privacy as Ban interest that individuals have in sustaining a 'personal space' free from interference by other people and organizations^.
Many more privacy theories exist in different scientific disciplines. For instance, Posner (1981) conceptualizes privacy from an economic perspective as market failure because it results in information asymmetry. Thomson (1975) describes privacy as redundant since privacy rights overlap with constitutional rights as property rights and rights to bodily security. Many more (sub)theories and views on privacy exists (Burgoon et al. 1989;Paine et al. 2007).
This study will follow the utilitarian view of privacy as an interest, since this implies that privacy can be given up. As long as the benefits of the service exceed related sacrifices, users will be persuaded to give up their privacy. Similar conceptualizations dominate related work on privacy concerns in e-commerce (Chorppath and Alpcan 2013;Dinev and Hart 2006;Hann et al. 2007;Li et al. 2010).
Central to the definition of privacy is the issue of privacy concern (Westin 1967). Privacy concerns are defined here as the deviation between required privacy interests and satisfied privacy interests.
Assuming that privacy is an interest, Clarke (1999) suggests various types of privacy that may be relevant. Clarke defined four categories of privacy, including privacy of the person, privacy of personal data, privacy of personal behavior and privacy of personal communication. Finn et al. (2013) argue that these four types of privacy do not cover potential privacy issues of recent technological advances. Technologies such as whole body image scanners, RFIDenabled travel documents, unmanned aerial vehicles, advanced DNA enhancements, second-generation biometrics and connect mobile services raise additional privacy issues. Therefore, Finn et al. (2013) expanded Clarke's categorization to seven types of privacy: privacy of the person, privacy of behaviour and action, privacy of personal communication, privacy of data and image, privacy of thoughts and feelings, privacy of location and space, and privacy of association.
Mobile insurance services especially affect privacy of behaviour and action, data and image, and location and space. Privacy of behaviour and action can be affected as data from mobile devices allow identifying travel activities. Especially when combining positioning data from mobile devices, GPS chips and social media, extensive information on one's behaviour and action can be generated. Privacy of data and image is affected as mobile insurance will typically require personal data to be shared. Privacy of location and space is especially impacted by tracking technologies in mobile phones and cars. Usage based insurance products typically require sharing location information with insurers. Almost all connected devices, even without GPS-sensors, provide detailed information on their location IP addresses, WiFi hotspots and router information.

Privacy and monetary compensation
Privacy is generally seen as a value that stimulates individual freedom and social development (Solove 2006). Based on a review of existing studies, Paine et al. (2007) show that the general public is increasingly concerned about their online privacy and willing to take countermeasures. At the same time, studies show that most consumers consider disclosing personal information as an integral part of modern life, necessary to obtain products and services (Preibusch 2013). As such, individuals do consider a utilitarian trade-off between perceived benefits of online services and sacrifices of disclosing personal information.
Disclosure of personal information generally results in elevated privacy concerns (Bansal and Gefen 2010). Various empirical studies show that elevated privacy concerns negatively affect the intention to use online and mobile services (Malhotra et al. 2004;Miyazaki and Fernandez 2001). Laufer and Wolfe (1977) suggest that individuals perform a Bcalculus of behavior^to assess the consequences of providing personal information. On the basis of this theoretical construct, individuals consider a trade-off between perceived benefits and sacrifices of disclosing personal information. This implies that unavoidable privacy concerns, associated with the use of mobile insurance, have to be compensated in order to persuade consumers to adopt. Hann et al. (2007) state that providers can mitigate the negative effect of privacy concerns on intention to use in two ways: (1) by offering privacy policies regarding the handling and use of personal information and (2) by offering benefits such as monetary rewards or convenience. The latter type of compensating benefits have been further operationalized by Li et al. (2010) into expected monetary benefits and perceived usefulness. Laudon (1996) argues that personal information is a commodity that can be priced and exchanged for monetary benefits. Further research by Jen et al. (2013) showed that the expected monetary benefits have a positive influence on intention to use electronic services. Hereby monetary benefits could be achieved through a discount on existing services or direct pay-outs (Jen et al. 2013).

Mobile insurance Insurance industry
Insurance is defined as the equitable transfer of the risk of a loss, from one entity to another, in exchange for a payment (Dorfman and Cather 2012). In practice this comes down to a contract whereby in consideration of a premium, the insurance company agrees to cover the insured subject to agreed limit, in the event of a loss (Ibiwoye 2011). Insurance works by pooling risks: while assessing risks for one individual person involves high uncertainties, fairly precise risks can be estimated for large groups of people (Smith and Kane 1994). A more precise expectation of risk events enables more precise premium calculations, enabling insurers to offer more competitive prices (Mackenzie 2014). By pooling risk, the concept of insurance provides both benefits for consumers as insurers. From a consumer perspective, insurance serves financial security and stability since future uncertainties are covered. For insurance companies, insurances are their driving element of business contributing to their profit. In this paper, we focus on consumer rather than corporate insurance products, and on non-life rather than life insurance.
Although the insurance industry is not recognized for being innovative, advanced mobile technologies offer great opportunities (Berdak and Carney 2014). Insurance companies earn revenues from insurance premiums collected from insurance takers but also earn income from return on investments financed by pooled insurance premiums. Insurance companies expenses include incurred losses from paid and reserved claims as well as underwriting expenses resulting from selling and administering insurance policies. By optimizing and automating insurance processes, such as sales-, contract-and claim activities, efficiency gains could be achieved and underwriting expenses could be minimized (Berdak and Carney 2014). However, mobile technologies may also help insurers to reduce their incurred losses as data on behavior of insurance takers helps insurers to estimate risks more accurately. In addition, insurers could feed back data to insurance takers in order to enhance risk awareness, which subsequently may reduce incurred losses.

What is mobile insurance?
A wide range of mobile insurance services exist on the market. We explore a variety of sources including journals, theses, conference proceedings, reports, newspapers, business publications, market scans, industry expert reviews and the Internet. Search terms employed were: innovative, mobile, connected, future, wearable, location, context, insurance, service, home, car, health, service, product, application, innovation and discount. Instances of mobile insurance services were added to a long-list as long as they had insurance elements, utilized some form of context information and were distinct from services already on the long-list. We stopped adding services to the long-list when no new service concepts were elicited. The ultimate long-list contains 53 mobile insurance services that were composed through 5 days of full-time work effort.
Next, we categorized services based on their main functionality. The categorization was validated and minor refinements were made through individual interviews as well as a workshop with experts within a large consultancy firm that have expertise on digital insurance and insurance innovation. The resulting categorization is displayed in Table 1.
In this study, we focus on usage based insurance services for which the insurance fee is based on actual car-use.

Method
We conduct a discrete choice experiment to evaluate the interplay of privacy concerns, monetary compensation and the intention to use usage based insurance services. Conjoint analysis is a statistical approach, often used in market research to determine customer preferences (Green et al. 2001;Hensher et al. 2005;Louviere et al. 2000) . Based on implicit trade-offs, perceived utilities by the respondents can be estimated per profile characteristic. By involving financial dimensions in the composition of these profiles, the willingness to pay might also be an output of the conjoint analysis (Hensher et al. 2005). We use stated-choice model (Louviere et al. 2000) rather than ratingbased conjoint analysis since in reality consumers also make a discrete choice between multiple car insurance packages.

Sample
The population of interest comprises all Dutch private car owners. The survey was carried out at a car ferry service in the Netherlands (Schoonhoven) in October 2014. To maximize the chance of finding private car owners, the survey was carried out on a Friday. After approval of the ferry service, car owners were approached to complete the questionnaire. Hardcopy questionnaire results were imputed into a spreadsheet.
Sixty respondents completed the questionnaire, of which five were omitted due to missing data. The resulting sample is representative in terms of gender (48 % male compared to 49 % in the target population) and car use (55 km per day on average compared to 37 km in the target population). The sample is biased towards highly educated (51 % higher education compared to 34 % in the target population) and younger people (34 % between 18 and 25 compared to 13 % in the target population).

Measurement instrument
In order to value individuals' privacy in monetary units, the three relevant forms of privacy identified in Section 2 are operationalized into attributes, see Table 2. Hereby, the attribute levels are composed in such a way that one level involves privacy harm and the other level involves no privacy harm.
Operationalization of the privacy types is done by building upon examples of mobile insurance products that are emerging on the market currently. As such, operationalization is as close to reality of respondents as possible, which contributes to the external validity of the study. As our main objective is to generalize to the three dimensions of privacy rather than to traits of individual respondents, we omit generic constructs such as a person's generic concern over privacy.
Privacy of location and space is operationalized into the attribute Kilometer registration, which is an important input for usage based car insurance. The insurer can measure the number of kilometers driven automatically through GPS tracking, which harms privacy of location and space. Alternatively, the consumer could register the number of kilometers With a usage-based insurance premium, consumers pay only premium for actual use of their insurance.
Behavioral rewarding; By rewarding customers for less risky behavior, the insurer is trying to reduce the risk of accidents. Up-to-date insurance package; By using personal (context sensitive) information of consumers, relevant personalized insurance products could be provided.
Preventative information services; Consumer context information offers insurers the opportunity to provide consumers with relevant context related preventative information.
Accident detection & prevention; By detecting (potential) accidents as early as possible, damages could be prevented and minimized. Mobile accessibility; Mobile technologies facilitate a communication channel for sales and services.
Personal dashboards; By measuring individual behavior, insight could be provided in risk profiles of consumers to increase risk awareness. Additional informative services; Context sensitive information offers opportunities for several semi-insurance services. driven manually through a website, which does not harm privacy of location and space.
Privacy of behavior and action is operationalized into the attribute Registration road behavior. Driving behavior could be measured automatically through an in-car motion (G-force) sensor that registers acceleration, deceleration and abrupt steering movements. By doing so, insurers gain in-depth insights in the actual user behavior which harms privacy of behavior and action.
Privacy of data and image is operationalized into the reuse of data generated by a usage based insurance service for secondary purposes. The attribute Additional insurance offerings refers to the insurer sending personalized offerings and promotions based on the data collected about the user. The sending of promotions by parties other than the insurer is referred to as Third party advertisement. As both options reuse data provided by the user for secondary purposes, they both negatively affect privacy of data and image.
The results of the conjoint analysis will provide the utility that participants derive from every attribute level. By adding a fifth attribute, these utilities can be converted into monetary compensation level, thereby eliciting the buy-off value of privacy. This fifth attribute Relative consumer saving is defined as the discount consumers will receive when adopting the usage based insurance policy. To analyze potential nonlinear effects, three attribute levels are included: 0, 10 or 20 euros discount. The level of discount is considered appropriate considering the average monthly fee of all-risk Dutch car insurance policies equals €34.
Based on the defined attributes, choice-sets are composed in which respondents compare two alternative usage based insurance options. In addition, respondents were asked whether they prefer the proposed insurance policy or their current policy. The latter option has been considered as the 'none of the choice sets' option, which is a common feature in discrete conjoint analysis. A balanced composition of twelve choicesets and related attribute levels was generated using Ngene software. Based on the choice-sets and defined attributes, a questionnaire was designed and subsequently pretested with three participants.
The consistency of the model results was verified randomly dividing all respondents' choice-preferences in two equal parts and running the analysis individually for both parts. All estimated coefficients in the sub-groups have the same direction as in the full model, and deviations are generally acceptable.
Finally, the uniqueness of each attribute was assessed by computing the correlations between coefficients. All correlations were lower than 0.80, which indicates that the model was able to unique identity the influences of the included attributes (Hensher et al. 2005).

Results
A discrete choice model is estimated to analyze the choice behavior of the respondents (Ben-Akiva and Lerman 1985). The software package Biogeme is used to this end (Bierlaire 2003). The dataset includes all predefined choice-sets and all respondents' choices from the questionnaire. The model-file includes a syntax program language to provide instructions to the Biogeme engine. Table 3 provides the part worth utilities of the attributes, which are calculated based on the parameter estimates. T-tests are performed to test the significance of the parameter estimates.
The results indicate that all parameters (and therefore all attributes) are statistically significant. Relative consumer saving has the highest importance: 65 % of a choice for usage based insurance depends on the discount offered. The residual importance is almost equally distributed over the other attributes which implies a balance willingness to pay for all attributes. Table 3 also shows a significant disutility of 1.21 compared to the current car insurance policy. In other words, respondents derive a structural disutility from usage based insurance services of 1.21.
Next, we transform utility levels to buy-off values using the Relative consumer saving attribute. As 20€ savings corresponds to 2.536 utility points (see Table 4), 1 utility point equals 7.89€. Based on this valuation, the structural disutility of usage based insurance equals €9.54, i.e. a buy-off value of €9.54 per month should be offered for consumers to switch to usage based insurance services. Table 4 presents the buy-off values for each form of privacy harm. In the table, the utility is calculated in a buy-off value using the attribute Monetary compensation. Table 4 shows that all buy-off values are in a similar range. Privacy of behavior and actions has a slightly higher buy-off value, equaling €2.98 per month. Regarding the privacy of data and image two buy-off values are determined, relative to the internal and external reuse of personal data. Respondents are willing to sell their personal data for third party advertisements if they receive a financial compensation of €2.77 per month. Strikingly, to receive relevant personalized promotions from the insurance company itself, respondents are willing to pay a monthly fee equaling €2.91.
Next, we explore moderating effects of demographics on the utilities, which is especially relevant considering the sampling bias towards younger and higher educated people. The main purpose of conjoint analysis is make generalizable claims regarding the conjoint attributes rather than the respondent characteristics. Despite this, we did explore moderating effects of demographic variables since our sample is slightly biased towards younger and higher educated people. By comparing multiple groups, we can assess whether this bias is a serious threat to the validity of our findings. Doing so requires recoding categorical and ratio variables into dichotomous scales, which requires establishing cut-off points. To distinguish age groups, we used the median as a cut-off value. By using the median cutoff, both groups have similar size which increases the chances of finding significant differences. For distinguishing education groups, we use the common distinction in the Netherlands of high (i.e. bachelor or master degree) and low education levels. To compare heavy and low car users, we used the somewhat arbitrary cut-off point of 30,000 km per year.
We reran the conjoint analysis for the demographic subgroups. Table 5 shows that demographics have considerable effect on the utilities in the conjoint model. For instance, highly educated respondents only require €4.42 to adopt usage based insurance, while lower educated respondents demand €21.33. Moreover, respondents driving more than 30,000 km per year require more compensation than those that drive less.
Regarding the privacy attributes, demographic groups differ only slightly. For instance, younger respondents derive more disutility from registration of road behavior than older people (€3.55 and €1.65 respectively). Higher educated people appear to derive more disutility with the registration of road behavior. However, we should point out here that sample size for the sub-groups is low and thus results can only be used in a speculative manner.

Discussion and conclusions
Our study shows that specific privacy concerns about usage based insurance services can be compensated by offering a marginal monthly fee. Consumers perceive privacy of behavior and action as more valuable than privacy of location and space. Regarding privacy of data and image, the buy-off value depends on who exploits privacy-sensitive data. While usage of personal data for personalized offerings from the insurer is positively evaluated, third party advertisements have a negative utility. One explanation may be that consumers trust their insurer more than unnamed third parties, as institutional trust has been shown to have an indirect effect on intention to share privacy-sensitive data for usage-based insurance services (Kehr et al. 2015). We also observe that for instance Dutch banks already offer personalized banking products for many years, but that public outrage emerged when one of the banks announced to disclose personal information for third party advertisements. Our findings do indicate that consumers prefer conventional car insurance policies considerably compared to usage based insurance, regardless of privacy concerns. As such, other considerations than privacy will likely play a role in the adoption decision of consumers. For instance, unwillingness to switch in general or normative considerations of fairness in insurance policies may play a role. We did not find considerable differences when comparing older and younger drivers. We did find that people driving more kilometres are less likely to accept usage based insurance, which can be explained because this group would pay a higher fee due to the nature of the product. A striking difference is between people with a higher education degree (i.e. bachelor or master degree) and those without as the latter group requires a much higher financial compensation. Previous studies show that safe driving behaviour is not clearly related to education level (Lourens et al. 1999;Shinar et al. 2001), and privacy concerns regarding Internet technologies have been shown to be higher for higher educated people (Sheehan 2002). As such, this finding, being only speculative here due to low sub-sample sizes, should be explored in future research.
The main downside of this survey is its representativeness. Highly educated people and people in the age-interval of 18-35 are overrepresented, and the conjoint analysis suggests that younger and highly educated people are less concerned about privacy risks. Another limitation is that interaction effects between the different dimensions of privacy were not included, which could be added in future studies.
Practical implications are that privacy concerns on usagebased insurance products can be overcome by offering minor financial compensations. Usage-based car insurance can benefit insurers as they are able to offer fairer pricing of insurance policies based on actual usage. The data collected through usage-based car insurance products can also be used by insurers to reduce their incurred losses as they allow more accurate risk estimations. Besides insurers, our finding that privacy concerns can be overcome is also relevant for providers of road pricing or other connected car services. In addition, the study shows that consumers may actually attribute positive utility to relevant personalized advertisements from insurance companies based on car usage data. Insurers may thus consider adopting more proactive marketing strategies towards consumers based on data collected through sensors and mobile devices. As such, usage-based car insurance products can also be used by insurers to offer more personalized and relevant offering to their customers. However, while usage-based insurance is technically feasible (Handel et al. 2014), earlier studies have shown that they require fundamental changes in the structure, business model and strategy of insurers (Ohlsson et al. 2015).
In terms of operationalization, different dimensions of privacy could have been measured differently. For instance, privacy of data and image could also relate to the degree to which users have control over who uses their data for noncommercial purposes. Moreover, if the operationalization of privacy of data and image would have included calculation of risk profiles and rising of rates based on driving behaviour, higher disutility may have been found. Future studies may include other factors that influence intention to disclose privacy-sensitive information, such as general privacy concerns, trust in institutions and affect (Kehr et al. 2015).
This paper takes a utilitarian view on privacy and assumes privacy concerns can be compensated financially. While this view fits the increasingly dominant utilitarian privacy literature, we are aware that there are other privacy schools that have differing conceptualizations and consider privacy as a right that cannot be bargained for (e.g., Westin 1967).
The study contributes to theories on privacy by distinguishing multiple dimensions of privacy rather than the typically one-dimensional operationalization in literature. The study shows that the buy-off value for privacy varies depending on the dimension of privacy concerned. This is especially relevant as Internet-of-things and connected cars concepts will involve ever more complex data to be released which may affect different dimensions of privacy in different ways. Self-driving autonomous cars may lead to even more research issues regarding mobile insurance. For instance, assuming that self-driving cars will increasingly be shared among pools of drivers (i.e. sharification), insurance policies and related liability risks are no longer tied to cars but to service providers or software vendors. In that scenario, trade-offs will become even more prevalent between privacy, added value and monetary compensation.