Gaining Trust Through Online Privacy Protection: Self-Regulation, Mandatory Standards, or Caveat Emptor

Trust is particularly important in online markets to facilitate the transfer of sensitive consumer information to online retailers. In electronic markets, various proposals have been made to facilitate these information transfers. We develop analytic models of hidden information to analyze the effectiveness of these regimes to build trust and their efficiency in terms of social welfare. We find that firms' ability to influence consumer beliefs about trust depends on whether firms can send unambiguous signals to consumers regarding their intention of protecting privacy. Ambiguous signals can lead to a breakdown of consumer trust, while the clarity and credibility of the signal under industry self-regulation can lead to enhanced trust and improved social welfare. Our results also indicate that although overarching government regulations can enhance consumer trust, regulation may not be socially optimal in all environments because of lower profit margins for firms and higher prices for consumers.

ONE AREA WHERE TRUST IN ONLINE MARKETS is particularly important is the ability of retailers to build trust among consumers so that retailers can adequately address consumers' privacy concerns. Consumers' privacy concerns have become more heightened as information technologies have enabled online retailers to collect increasing amounts of consumer information. Through direct observation, retailers can record a consumer's on-site browsing behavior, purchase history, and shipping and billing information. Moreover, retailers can add to this information over time, aggregate it across multiple databases, or easily transfer it to third parties.
While a boon to marketers, these capabilities have raised concerns among consumer advocates and regulators that this information could be used in ways that violate consumer privacy. Privacy is the ability to control the acquisition and use of information about one's self [42]. A variety of surveys and experiments have shown that privacy concerns are a leading factor impeding electronic commerce (e.g., [16,25,36,43]). For example, Consumer Reports WebWatch research report indicates that 90 percent of U.S. Internet users over the age of 18 have changed their behavior because of fear of identity theft [25]. Fundamentally, these privacy concerns arise because of a lack of trust between businesses and consumers [16,39].
Trust is the willingness of one party to be subject to the risks brought by another party's actions [12,20,27]. In the context of online privacy protection, these risks arise from uncertainty or incomplete information about retailers' actions regarding customer information. For example, security breaches may occur due to inadequate data protection or internal controls; retailers may engage in unauthorized secondary uses, such as using information that is collected for one purpose for a different purpose [8]. In this paper, we focus on the risks associated with the latter-secondary use. In this case, retailers' profit-maximizing behavior often leads to privacy protection practices that would not be optimal for their customers. Pavlou et al. [32] pointed out that uncertainty will lead to two information problems-hidden information and hidden action. Without the ability to credibly signal their trustworthiness in handling consumer information, retailers will be less able to persuade consumers to share sensitive information, hindering welfare creation for both consumers and retailers and impeding the development of online commerce.
As privacy concerns have been identified as a primary barrier to consumer trust online, governments and third parties have proposed various approaches to privacy protection. At the heart of these approaches are fair information practices that aim to empower consumers with more transparency and control over their information. Fair information practices are a set of standards to guide the adequate collection and use of personal information [9,33]. According to the Federal Trade Commission [33], the core fair information principles include notice, choice, access, and integrity. Notice or awareness requires informing the scope and usage of personal information collection. Choice or consent gives consumers options to opt out of secondary uses of information. Access or participation invites people to access their personal information to ensure accuracy and completeness of the information. Integrity or security requires protection against unauthorized access and use of data. These principles need enforcement or redress mechanisms to monitor compliance. Therefore, enforcement or redress is also part of fair information practice principles.
One can categorize the various privacy protection approaches into three general categories according to how and to what degree these fair information practices are implemented. The first category is caveat emptor-literally, "let the buyer beware." Under this approach, retailers are under no obligation to post a privacy notice or to obey fair information practices. However, if they post privacy policies, they are required by law to abide by them. This approach applies to many common types of consumer transaction data [2]. 1 At the opposite end of the intervention spectrum is the mandatory standards approach for privacy protection, where governments intervene and enact strict privacy protection standards for broad segments of consumer information. For example, the European Union has adopted mandatory standards for most types of consumer information through their 1996 Directive on Data Privacy (see [35] for a review of this Directive). In the United States, mandatory standards have been legislated more narrowly: for the use of credit reporting data, health information, some types of financial transactions, and marketing data from minors.
Seal-of-approval programs represent a third option, and serve as an interesting alternative to caveat emptor and mandatory standards regimes, particularly for Internet markets. Under this approach, a retailer can choose to join a seal-of-approval program administered by a seal-granting authority. Joining a seal-of-approval program gives the retailer the right to display a logo that certifies that the retailer will follow a set of information practices to protect consumer privacy. The seal-granting authority has the right to monitor the retailer's adherence to these standards. Therefore the sealof-approval programs provide an industry self-regulatory approach to fostering trust between online retailers and consumers through a trusted third party. Examples include the programs offered by TRUSTe and the Better Business Bureau.
While the relative merits of each of these approaches have been debated in policy and regulatory circles, there has been little systematic research that aims to understand which regime is most effective in enhancing consumer trust and which regime optimizes social welfare. Answers to these questions have important policy implications, as some privacy advocates are currently arguing that the United States should adopt an overarching set of mandatory standards for all types of customer information, similar to those adopted by the European Union [34].
This research addresses the conflict between enhancing consumer trust in an online environment and promoting society's total welfare. We develop an analytical model with hidden information. Retailers signal their willingness to protect consumer privacy by conforming to certain privacy protection regimes. Because the accuracy of consumers' interpretation of signals varies across different regimes, consumers are exposed to different degrees of risks. This research studies how different regimes can enhance trust in an online environment, where consumer relationships display great social distance, consumers are lacking firsthand experience with retailers [9], and repeated encounters do not necessarily happen. This is one of the first studies to analyze the role of signaling as a mediator to enhancing trust in the context of online privacy protection.
Our model shows that by joining a seal-of-approval program retailers can send an unambiguous signal to consumers regarding privacy protection. Under caveat emptor, a retailer can signal its intent to protect privacy by using trust-related arguments such as a privacy policy [22]. However, the possibility of misinterpretation of signals due to the length and complexity of typical privacy policies can lead to a breakdown of consumer trust and jeopardize the effectiveness of this regime. Therefore, the accuracy of signals is critical to improving trust under the caveat emptor regime. Increasing the accuracy of signals increases consumers' trust toward privacy protection-leading to higher producer and consumer surplus.
We find that consumers' attitude toward privacy plays an important role in determining the type of privacy protection signal firms choose. Under the caveat emptor regime, when consumers have relatively low sensitivity toward their personal information, firms will only provide "notice" in their privacy policies. In contrast, when consumers have relatively high sensitivity toward their personal information, firms will post the complete set of fair information practices in their privacy policies. In the intermediate case, when consumers have moderate sensitivity toward their personal information, firms with low protection costs will post the complete set of fair information practices while firms with high costs will only post "notice. " We also find that there is an intrinsic conflict between enhancing trust and achieving optimal social welfare. An effective privacy protection regime, such as mandatory standards, is not necessarily the most efficient regime in terms of social welfare. Mandatory standards undoubtedly increase consumer trust. However, when consumers benefit from uniformly higher standards of privacy protection, they also pay higher prices. This can lead to a social welfare loss, which may outweigh the benefit of a higher standard of privacy protection.

Literature Review
PREVIOUS RESEARCH HAS SHOWN THAT TRUST is essential in exchange relationships due to the embeddedness of actors in an ongoing system of social relations [14,27] and the uncertainty existing between trading partners [24]. Trust is a crucial enabling factor in relations where uncertainty, interdependence, and fear of opportunism exist [1,13]. On the Internet, consumers' privacy concerns represent important sources of uncertainty, interdependence, and fear of opportunism between trading partners.
A variety of papers have analyzed the role of addressing consumer privacy concerns on trust building over the Internet. The California Online Privacy Protection Act of 2003 [4] identifies a set of instruments for individuals' concerns about organizational privacy practices, including the collection of personal information, unauthorized secondary use of personal information, errors in personal information, and improper access to personal information-concepts central to fair information practice. Culnan and Armstrong [8] show that addressing privacy concerns by using fair information practice can facilitate trust building. Belanger et al. [3] and Kim and Benbasat [22] specifically discuss third-party privacy seals and privacy statements as trust-building tools. Joining seal-of-approval programs can serve as a type of institution-based trust in which consumers perceive that effective third-party institutional mechanisms are implemented to facilitate transaction [31,44].
A growing body of literature discusses alternative privacy protection regimes (e.g., [18,38]). Although the merits and limitations of each regime have been discussed extensively in the literature, there is no consensus regarding which regime should be adopted. Culnan and Bies [9] study government regulation, industry self-regulation, and technological solutions under a justice framework and argue that the perception of justice shapes consumers' privacy concerns. Vila et al. [40] find that asymmetric information about whether Web sites will sell private information leads to a lemons market for privacy, and that government regulation and enforced laws are the only effective methods to make all companies respect consumer privacy. James [19] demonstrates that the codification by EU law and the enforcement by the UK government does not improve the disclosure and practice of e-commerce privacy relative to markets in the United States. Hahn and Layne-Farrar [15] argue that self-regulation mechanisms can reinforce the reputation of Web sites and provide useful information to consumers.
Although the literature on trust building finds that privacy statements and privacy seals can enhance trust, there is less discussion of the different roles played by these two institutions. One contribution of this paper is in analyzing how and why these two institutions can influence consumer beliefs differently and achieve different levels of efficiency. Most of the literature focuses on the benefits to trust building, whereas our study presents an integrated analysis of both the costs and benefits of privacy protection and highlights the resulting conflict between promoting trust and social welfare optimization when consumers have heterogeneous evaluations toward losing privacy. We consider both the effectiveness and the efficiency of different regimes of protecting online information privacy from not only the perspective of retailers but also the perspective of consumers and society as a whole.
Our paper is also one of the first few studies to introduce the role of signaling in mediating consumer privacy concerns in online trust building. We explore the three most popular privacy protection regimes by considering the problems of hidden information [21,28,41]. Further, our paper extends prior work by analyzing how the privacy regimes can be compared in terms of the quality of the privacy protection signals.

Firms and Consumers
PREVIOUS RESEARCH HAS FOUND THAT CONSUMERS may find it difficult to precontractually identify and select firms that have both the ability and willingness to protect consumer privacy (e.g., [32]). A failure to address this problem can lead to reduced consumer trust and a loss of social welfare. Our model studies how various regimes can help address this hidden information problem.
We consider a duopoly model with two competing firms, each of which sells one product to consumers. We use a setting that is similar to Hotelling's [17] model of horizontal product differentiation and consumer taste differentiation. Each firm's product is located at one end of a straight line, and consumers are evenly distributed along this line according to their tastes. A consumer's utility for a product is assumed to be v minus a fit cost that is proportional to the distance between his or her taste and the product's location. 2 Fit cost is normalized to be one per unit of distance. Without loss of generality, each firm's marginal cost of production is assumed to be zero.
If a firm chooses not to protect consumer privacy, it incurs zero cost. If a firm protects privacy by following fair information practices, it incurs a positive cost. Offering notice, choice, access, security, and enforcement would require additional managerial and technology investment. 3 The cost of protecting consumer privacy can vary significantly across firms, depending on the nature of the firm's product or service, the nature of the firm's consumers, and the amount of consumer information the firm can obtain through its transactions with consumers. Moreover, firms incur infrastructure costs associated with protecting privacy that vary across firms because different firms employ different sets of privacy protection infrastructure and personnel. In our model, we assume one firm has a low marginal cost of protecting consumer privacy (c L ) and the other firm has a high marginal cost of protecting consumer privacy (c H ), with 0 < c L < c H < ∞. 4 As shown in a number of surveys (e.g., [16,25]), consumers are heterogeneous in how much they care about their privacy. To capture this heterogeneity, we assume that a proportion of θ(0 ≤ θ ≤ 1) consumers (sensitive consumers) care about privacy and incur a utility loss of L(0 ≤ L ≤ 1) when their privacy is not protected. Likewise, a proportion of 1 -θ consumers (insensitive consumers) do not care about privacy and do not incur a utility loss when their privacy is not protected. The values of θ and L vary depending on the different types of information (financial, medical, demographic, or transaction information) [7].
Without loss of generality, we assume the firm that is located at location 0 (Firm 0) has a low cost of protecting privacy and the firm that is located at location 1 (Firm 1) has a high cost of protecting privacy. Each consumer has unit demand for these two competing firms' products and will choose the product that gives him or her a higher utility. Let Firm 0's price be p 0 and Firm 1's price be p 1 . Thus, a sensitive consumer at location λ has a utility of v -lp 0 for Firm 0's product if his or her privacy is protected and a utility of v -L -λp 0 for Firm 0's product if his or her privacy is not protected. Similarly, a sensitive consumer has a utility of v -(1 -λ)p 1 for Firm 1's product if his or her privacy is protected and a utility of v -L -(1 -λ)p 1 for Firm 1's product if his or her privacy is not protected. An insensitive consumer at location λ has a utility of v -λp 0 for Firm 0's product and a utility of v -(1 -λ)p 1 for Firm 1's product, regardless of whether his or her privacy is protected or not. All consumers obtain a utility of zero if no purchase is made.

Caveat Emptor
Under the caveat emptor regime, each firm can use its privacy policy to signal to consumers its willingness to protect consumer privacy. However, because of the length and complexity of a typical privacy policy posted by a firm, it is hard for consumers to perfectly interpret a firm's signal through its privacy policy. To illustrate this, we collected the privacy policies from the top-20 most popular shopping sites listed at Alexa (http://alexa.com). These privacy policies averaged 2,074 words in length, not including links to other supporting pages. This corresponds roughly to four pages of single-spaced typewritten text. We did a readability analysis and found the average Flesch-Kincaid [11,23] grade-level score for these privacy policies was 12.8, well above the recommended complexity for most standard documents. This finding is consistent with Milne and Culnan [29] and Milne et al.'s [30] findings that consumers found that privacy policies were often too long and confusing.
We use a garbled signal to model how consumers interpret each firm's privacy policy and obtain their interpretation of whether each firm has signaled post-contractual privacy protection or no protection. We assume a firm can send two types of signals to consumers: a policy (s L ) that signals the firm will follow fair information practices and protect their privacy post-contractually, or a policy (s H ) that signals the firm will not protect privacy post-contractually. 5 In addition, we assume consumers' interpretation of a firm's signal is not 100 percent accurate. This is consistent with extant empirical findings (e.g., [30]). If a firm sends a low-type signal (s L ), then with probability α(0 ≤ α < 1), consumers will obtain an interpretation (r L ) that the firm will protect privacy post-contractually; and with probability 1 -α, consumers will be confused and will not be able to obtain any interpretation regarding post-contractual privacy protection (r N ). If the firm sends a high-type signal (s H ), with probability α(0 ≤ α < 1), consumers will obtain an interpretation (r H ) that the firm will not protect privacy post-contractually; and with probability 1 -α, consumers will be confused and will not be able to obtain any interpretation regarding post-contractual privacy protection (r N ). Note that when α = 0, a firm's signal becomes completely garbled; and in this special case, privacy policies cannot be used as trust indices to enhance trust [3]. When α = 1, a firm's signal is not garbled at all.

The Post-Contractual Holdup Problem
Firms may be unwilling to protect consumer privacy post-contractually, even when they have signaled post-contractual privacy protection. In order for a firm's privacy policy to be a meaningful signal of post-contractual privacy protection, this postcontractual holdup problem that has been identified by previous research (e.g., [32]) must be solved. We argue that effective post-contractual monitoring by the government can help solve this holdup problem under the caveat emptor regime. We assume the government detects deceptive claims with probability µ, and penalizes a firm by F if it has made deceptive claims. If the government sets F sufficiently high-that is, µF ≥ c H > c L -then a firm that has signaled post-contractual privacy protection will indeed protect privacy post-contractually. This is because the firm's post-contractual net profit if the firm protects privacy, which is (pc i )D, is higher than the firm's post-contractual net profit if the firm does not protect privacy, which is (p -µF)D, where D is the firm's demand. We assume µF ≥ c H > c L in our model of the caveat emptor regime.

Timing of the Caveat Emptor Game
We use a two-stage game to capture the behavior of firms and consumers under the caveat emptor regime. In Stage 1, both firms post their selling prices (p 0 , p 1 ) and signal post-contractual privacy protection or no protection through their privacy policies (s 0 , s 1 ). In Stage 2, consumers observe posted prices. Consumers interpret privacy policies and obtain their interpretation of whether each firm has signaled post-contractual privacy protection or no protection (r 0 , r 1 ). 6 Consumers form belief β(r 0 ), β(r 1 ) regarding the probability that each firm will protect privacy post-contractually. Consumers then decide whether to make a purchase and which firm to purchase from, based on consumers' willingness to pay, posted prices, and their belief regarding the probability that each firm will protect privacy post-contractually. After this stage, each firm's profit and consumers' utilities are realized and the game ends.

Equilibrium in the Caveat Emptor Game
We solve for the perfect Bayesian Nash equilibrium in this game by considering four possible types of equilibrium: (1) a pooling equilibrium in which both firms signal no protection (s H ), (2) a separating equilibrium in which low-cost Firm 0 signals privacy protection (s L ) and high-cost Firm 1 signals no protection (s H ); (3) a pooling equilibrium in which both firms signal privacy protection (s L ); and (4) a separating equilibrium in which Firm 0 signals no protection (s H ) and Firm 1 signals privacy protection (s L ). Figure 1 shows the information structure of these four possible types of equilibria. P1 summarizes our analyses of the caveat emptor game: When αθL ≤ c L < c H , both Firm 0 and Firm 1 signal no protection and neither protects privacy post-contractually. A consumer's belief regarding the probability of privacy protection is β(r H ) = 0, β( rN ) = 0, β(r L ) = 1. Firm 0 and Firm 1 will split consumer demand evenly and obtain the same level of profit. That is, D 0 * = 1/2, D 1 * = 1/2, π 0 * = 1/2, π 1 * = 1/2. Figure 2 shows how Firm 0 and Firm 1 divide the market in this and the other two equilibria.
When c L < αθL < c H , the low-cost Firm 0 signals protection and protects privacy post-contractually, while the high-cost Firm 1 signals no protection and does not protect privacy post-contractually. A consumer's belief regarding the probability of privacy protection is β(r H ) = 0, β(r N ) = 0.5, β(r L ) = 1. In this case, more sensitive consumers purchase from Firm 0 than from Firm 1, while more insensitive consumers purchase from Firm 1 than from Firm 0. We have All else equal, signaling privacy protection rather than no protection helps a firm obtain a higher demand, and it also increases the firm's marginal cost. A firm would consider this trade-off when it decides whether to signal privacy protection. P1 shows that, when c L < c H ≤ αθL and c L < αθL < c H , the caveat emptor regime successfully leads to post-contractual privacy protection for at least some consumers. However, when αθL ≤ c L < c H , both firms find the potential demand gain from protecting privacy is outweighed by the increase in marginal cost, and neither signals privacy protection. This case can happen even though θ and L are both large-that is, a large percentage of consumers care about privacy protection and their utility losses are large when their privacy is not protected. As long as the probability that consumers get confused by the privacy policies is large enough-that is, α is small enough (α ≤ c L )-the case of αθL ≤ c L < c H is the only case possible. Figure 3 illustrates that when α is large, the caveat emptor regime could lead to post-contractual privacy protection for at least some θ and L. But as α declines, it could fail to lead to post-contractual privacy protection for any θ and L.

Improving Interpretation Accuracy
There are many ways firms can improve the accuracy of consumers' interpretation of the firm's signal through its privacy policy. Currently, privacy policies posted by firms have different formats and frequently are long and use confusing legal jargon. If the government or an industry consortium can draft and enforce an industry-wide standard format and template for privacy policies, this could allow consumers to read only key sections of privacy policies and compare different privacy policies side by side. The successful implementation of such a standard could improve the accuracy of consumers' interpretation process. Another approach to improving the accuracy of consumers' interpretation process is to provide consumers with tools that automatically process the large amount of information in privacy policies, such as the platform for privacy protection (P3P). P3P allows firms to make privacy policies conform to the XML-based P3P standard, and provides consumers with rule-based tools and XML parsers so that they can easily interpret privacy policies [5].
However, although promising, there are significant barriers to the widespread use of P3P protocols [9]. First, in order to implement P3P, both vendor Web sites and browsers must support P3P. Currently, not all Web sites support P3P and the commercial imple- only implements cookie filtering based on P3P. 8 Second, the accuracy with which Web sites' policies are represented by P3P user agents varies, increasing ambiguity and uncertainty for users trying to understand privacy policies [6].
We conclude that, although both approaches improve the accuracy of consumers' interpretation process, they are likely to result in an imperfect interpretation (α < 1 in our model). While privacy policies help mitigate the perceived risk of a site and facilitate trust building, uncertainty still remains.
The Effect of Interpretation Accuracy on Consumer Trust, Demand, and Firm Profit Next we study how the accuracy of consumers' interpretation of firms' signals affects consumer trust, demand, and firm profit. Proposition 2: Consumers' belief regarding the probability each firm will protect privacy post-contractually, given their interpretation of each firm's signal, is a nondecreasing function of the accuracy of the interpretation process (α).
P2 shows that consumer trust regarding privacy protection can be enhanced if we can increase the accuracy of consumers' interpretation process (α).  But as the accuracy of the interpretation process increases, Firm 0 and Firm 1 compete on price and privacy protection. Because Firm 0 has a lower cost of protecting consumer privacy, it enjoys a cost advantage when competing with Firm 1. In addition, Firm 0's competitive advantage becomes larger as the accuracy of interpretation process increases. Thus, high-cost Firm 1 loses demand and profit and low-cost Firm 0 gains demand and profit, as the accuracy of the interpretation process increases. P3 illustrates that the incentive to improve the accuracy of the interpretation process may differ for low-cost and high-cost firms.
The Effect of Interpretation Accuracy on Social Welfare in the Caveat Emptor Game Next we study how the accuracy of consumers' interpretation of firms' signals affects social welfare in the caveat emptor game.

Proposition 4: Social welfare in the caveat emptor game is a nondecreasing function of the accuracy of the interpretation process (α) when αθL < c H .
The effect of interpretation accuracy on social welfare is less straightforward. We first study the effect of interpretation accuracy on social welfare inside each equilibrium: Under the pooling equilibrium where neither firm protects privacy or the pooling equilibrium where both firms protect privacy, social welfare does not change as α increases. Under the separating equilibrium where only Firm 0 protects privacy, social welfare is increasing as α increases.
However, as Figure 3 illustrates, changes in α will move the boundaries that separate the three types of equlibria in the caveat emptor game. So we also need to compare social welfare across different equilibria at the boundaries. Social welfare is higher under the separating equilibrium than under the pooling equilibrium where neither firm protects privacy at their boundary αθL = c L . But comparing social welfare under the separating equilibrium with social welfare under the pooling equilibrium where both firms protect privacy yields an ambiguous answer at their boundary αθL = c H . Therefore, we only conclude that social welfare in the caveat emptor game is a nondecreasing function of the accuracy of the interpretation process (α) when αθL < c H .

Seal-of-Approval Programs
Under the seal-of-approval regime, a firm can send an unambiguous signal to consumers regarding whether it will protect consumer privacy post-contractually by displaying a seal-of-approval logo. In order to display the logo, firms need to meet the requirements set by seal-granting authorities. The seal-of-approval logo certifies that the firm that displays it will follow a certain set of standards to protect privacy, and that the seal-granting authority will have the right to monitor the firm's adherence to these standards. The seal-of-approval logo serves as a signal that can be easily interpreted by consumers, and the penalty imposed by the seal-granting authority on firms that display a seal-of-approval logo but do not protect privacy guarantees the credibility of this signal.
The key difference between the seal-of-approval game and the caveat emptor game is that signals are not garbled in the seal-of-approval game whereas they are garbled in the caveat emptor game. More specifically, we assume the firm can send two types of signals to consumers: displaying a logo (s L ), which signals post-contractual privacy protection, and not displaying a logo (s H ), which signals no protection. In addition, we assume consumers' interpretation of the firm's signal is 100 percent accurate. If the firm signals privacy protection (s L ), with probability 1 consumers would interpret that the firm has signaled privacy protection (r L ). If the firm signals no protection (s H ), with probability 1 consumers would interpret that the firm has signaled no protection (r H ).
We also assume that the seal-granting authority monitors firms' post-contractual behavior. Deceptive claims are detected with probability µ(0 ≤ µ ≤ 1) by the sealgranting authority, and penalized by a fine of F. We assume µF ≥ c H > c L in our model of the seal-of-approval regime because setting a sufficiently high penalty is in the best interest of the seal-granting authority. When this assumption does not hold, displaying the seal-of-approval logo becomes a meaningless signal and the market succumbs to the post-contractual holdup problem that is discussed in the caveat emptor game.
Under these assumptions, we use a two-stage game, similar to the caveat emptor game, to model the seal-of-approval program regime. In Stage 1, both firms post selling prices (p 0 , p 1 ) and signal post-contractual privacy protection or no protection through "seal-of-approval" logos (s 0 , s 1 ). In Stage 2, consumers observe posted prices and obtain an interpretation of whether each firm has signaled protection or no protection (r 0 , r 1 ). Consumers form belief β(r 0 ), β(r 1 ) regarding the probability of privacy protection given their interpretation of each firm's signal. Consumers then decide whether to make a purchase and which firm to purchase from, based on consumers' willingness to pay, posted prices, and their belief regarding the probability of privacy protection. After this stage, each firm's profit and consumers' utilities are realized and the game ends. We note that the seal-of-approval program regime is in fact a special case of the caveat emptor regime in which consumers' interpretation of a firm's signal is 100 percent accurate-that is, α = 1.

Seal-of-Approval Regime Can Enhance Consumer Trust
Under the seal-of-approval regime, the firm can send a signal of whether it will protect privacy by displaying or not displaying a "seal-of-approval" logo (s L , s H ). Consumers interpret this signal unambiguously. Consumer trust is higher in the sealof-approval game (α = 1) than in the caveat emptor game (0 ≤ α < 1). This directly follows from P2.

Seal-of-Approval Regime Versus Caveat Emptor Regime
Next we compare social welfare under the seal-of-approval regime with social welfare under the caveat emptor regime.
Proposition 5: Social welfare is no lower in the seal-of-approval game (α = 1) than in the caveat emptor game (0 ≤ α < 1), as long as the θL is low enough-that is, θL < c H .
This proposition shows that the seal-of-approval regime leads to a higher social welfare than the caveat emptor regime, when the percentage of consumers who care about privacy is low and the loss these consumers suffer when their privacy is not protected is low. Figure 5 further explains this. However, when θL ≥ c H , the caveat emptor regime leads to an outcome of only Firm 0 protecting privacy and the seal-ofapproval regime leads to an outcome of both firms protecting privacy. In this case, the comparison of social welfare under the caveat emptor and seal-of-approval regimes is ambiguous. In all other cases, the seal-of-approval regime leads to the same or higher social welfare than does the caveat emptor regime.
Under the mandatory standards regime, the government sets minimum standards for protecting consumer privacy and requires all firms to follow these standards. For example, in the United States, legislation has been passed to require minimum privacy protection standards for consumer credit reporting, health information, marketing data about minors, and some types of financial transactions [15]. This regime is similar to a conventional regulatory approach such as standard setting [26] and command-andcontrol regulation [37].
To model this regime, we assume that if a firm does not protect consumer privacy, this violation is detected with probability µ(0 < µ ≤ 1) by the government and penalized by F. This parallels enforcement in practice where governments can penalize firms that violate the government's mandatory standards either through litigation, associated penalties, or legal expenses. It is straightforward to show that the government can set F sufficiently high (i.e., µF ≥ c H > c L ) such that both low-and high-cost firms find it optimal to protect consumer privacy post-contractually.

Seal-of-Approval Regime Versus Mandatory Standards Regime
Under the mandatory standards regime, all firms are forced to follow the standards set by the government and protect consumer privacy post-contractually. Assuming the government can effectively enforce the mandatory standards, this regime leads to the highest level of consumer trust possible-consumers believe that firms will protect privacy post-contractually with probability 1. In terms of enhancing consumer trust, the mandatory standards regime is obviously more effective than the seal-of-approval regime. However, the mandatory standards regime may be less efficient than the sealof-approval regime, in terms of enhancing social welfare.
The key difference between the mandatory standards and the seal-of-approval regimes is that the former forces firms to protect privacy while the latter allows the firm to freely choose. As illustrated by Figure 6, when c L < c H ≤ θL, both regimes lead to the same outcome. However, when c L < θL < c H , the seal-of-approval regime leads to an outcome in which only the low-cost Firm 0 protects privacy; it leads to an outcome in which neither firm protects privacy when θL ≤ c L < c H . Under the mandatory standards regime, both firms always protect privacy.
Proposition 6: Social welfare in the seal-of-approval game is no lower than social welfare in the mandatory standards game.
P6 shows that social welfare is higher under the seal-of-approval regime than under the mandatory standards regime in both of these cases: when c L < θL < c H and when θL ≤ c L < c H . This proposition shows that forcing firms to protect privacy, as in the mandatory standards regime, could lead to an overall decrease in social welfare. This is particularly true when few consumers care about privacy protection and when the potential utility loss from privacy not being protected is small. In these cases, the gain in social welfare from protecting consumer privacy is outweighed by the cost firms incur in protecting consumer privacy.
This result suggests that adopting the mandatory standards regime for nearly all types of consumer information may not always be optimal from a social welfare perspective. For certain types of purchase and demographic information where few consumers have privacy concerns or where consumers are less sensitive to privacy violations, a mandatory standards regime could lead to a loss of social welfare, because in these cases, both consumers who are sensitive to privacy protection and those who are not have to pay for protection through higher prices.
However, we caution that there may be other reasons favoring a mandatory standards regime. For example, our model assumes that seal-granting authorities can effectively detect and penalize deceptive claims, and hence the post-contractual holdup problem is not the focus of this paper. But if the government can much more effectively and efficiently enforce post-contractual compliance than seal-granting authorities, especially for certain types of consumer information (such as health and medical information, credit and some types of financial information, and marketing information obtained from minors), then a mandatory standards regime makes more sense than a seal-ofapproval regime.

Discussion and Concluding Remarks
IN THIS PAPER, WE DEVELOP A MODEL OF hidden information in which online retailers can signal to consumers regarding their willingness to protect consumer privacy. We analyze retailers' strategies under three privacy protection regimes commonly chosen by market designers or government regulators-caveat emptor, seal-of-approval programs, and mandatory standards. Under a caveat emptor regime, retailers can post a privacy policy that imperfectly signals privacy protection or no protection. Under seal-of-approval programs, retailers can send an unambiguous signal by joining sealof-approval programs. Under mandatory standards, there is no need to send signals because of the high level of government intervention.
This research differs from much of the previous research on trust in that we focus on the role of signaling in enhancing trust in the context of online privacy protection. We find that the extent to which retailers influence consumer trust depends crucially on the clarity and credibility of the signal retailers send. Seal-of-approval programs increase the credibility of the signal regarding privacy protection, leading to a higher level of consumer trust than the caveat emptor regime.
The mandatory standards regime is the most effective way of enhancing consumer trust. But we find that it can be less efficient than the seal-of-approval programs regime in terms of social welfare, in particular for cases in which few consumers are sensitive to privacy and when their potential loss is small. This is because mandatory standards regimes lead to higher retailer costs and, as a result, higher prices. This, in turn, leads to a social welfare loss, which may outweigh any benefits from better privacy protection. Effectively, seal-of-approval programs allow customers to self-select whether to deal with a firm that protects privacy or a firm that does not protect privacy (and correspondingly has a lower price). Thus, in general, adopting a mandatory standards regime for nearly all types of consumer information is not a socially optimal approach to protecting consumer privacy.
Despite federal and state governments' efforts to protect privacy, surveys and opinion polls continue to show that some companies do not post privacy policies and are not subject to enforcement. According to the analysis of this paper, this situation falls into the caveat emptor regime. Because no signaling mechanism is in place to enhance consumer trust, consumers bear high privacy-related risks when conducting transactions with those companies.
As suggested by our model, the existence of consumer heterogeneity also influences the coexistence of different privacy protection regimes. In the United States, privacy is taken as negotiable historically, whereas in the European Union it is taken as a human right [35]. Thus, the United States currently adopts a sectoral approach to addressing privacy concerns while European countries adopt an omnibus approach to protecting privacy.
However, a limitation of our model is that we do not consider dynamic settings where firms' decisions in one period would influence outcomes in future periods. We do this for the sake of parsimony and clarity of exposition. In a dynamic setting, firms would have additional strategies for communicating trust to their customers, including using the value of a brand name as a bond that would be forfeited if trust is violated [41], or signaling trust through potential lost sales in a repeated game setting [10,19]. But such strategies will not be available to many retailers, particularly in settings with infrequent interaction or short/nonexistent purchase histories.
Building on this point, it is important to note that none of the approaches above is a necessary or sufficient condition to build trust, and it would be interesting for future work to discuss the interactions between various privacy trust-building strategies. For example, some of these strategies may work well in combination, such as signaling trust through both repeated interactions and through seal-of-approval programs. Similarly, some strategies may conflict. For example, some established retailers may be reluctant to join any seal-of-approval programs for fear of conflicting with their brand names. In this case, both the caveat emptor regime and the branding effect jointly safeguard consumer privacy.
We also note that alternative approaches for trust building are especially important when there are no privacy policies to signal protection. Reputation, branding, and consumer experience may be used as indices for trust building and to guide transactions. Moreover, companies can provide monetary payoffs in the form of discounts or better services or a wide product selection to compensate for the potential loss of consumer privacy. Still, privacy laws that require at least notice or awareness of the fair information practices are needed, so that companies can communicate with consumers about their privacy protection practices meaningfully and effectively.
Companies can potentially offer one price that is associated with privacy protection and another price that is associated with no protection. This menu of prices allows consumers to self-select whichever option gives them the highest utility. While such a strategy is not at all widespread today, it would be interesting for future research to analyze such versioning strategies.
Our analysis offers strategic insights for a variety of audiences, including third-party organizations overseeing the industry's practice of protecting privacy; market designers; businesses upholding guidelines, standards, and practices of privacy protection; and government agencies administering online privacy protection. For third-party organizations, our results suggest that industry self-regulation can be accomplished through seal-of-approval programs if retailers' violations of privacy can be caught and penalized effectively. For market designers, our results also suggest that automated solutions to communicating retailer trust, such as the P3P standard, can help improve the efficiency of markets in the presence of caveat emptor regimes. For businesses, our results suggest that the incentive to improve signal accuracy will differ for lowcost firms and high-cost firms. Finally, for regulatory agencies, our results suggest that overarching approaches to privacy protection where all types of data are covered by the same set of mandatory standards are not necessarily the socially optimal solution. Instead, government agencies should educate consumers to foster their ability to understand firms' privacy practices, so that consumers and firms can transact more effectively and efficiently.
tection. This assumption makes sense because the signals sent by the firms (privacy policies) are backed up by post-contractual monitoring. This monitoring ensures a firm that has signaled protection will protect privacy post-contractually. In our model, the signal sent by the firms on post-contractual privacy protection is a more dominant signal than is price.
7. The Online Appendix can be downloaded from www.heinz.cmu.edu/~mds/jmis.pdf. 8. We thank an anonymous referee for this point.