A multiphase mixed-methods analysis of UK e-commerce privacy policies

Database technology and advanced statistical processes have rendered it possible to process unprecedented volumes of personal data. However, tension exists between the rights of those that are the subject of personal data processing and the interests of commercial organisations and governments. Privacy policies are supposed to describe how and why personal data is processed. The aim of this research was to explore how these statements could be improved in the context of UK e-commerce. A novel, mixed method phased approach was adopted to address the research aim. In phase one a content analysis of UK e-commerce privacy policies was carried out. Findings showed UK e-commerce privacy policies do not consistently follow good practice guidelines. Moreover, results revealed several information gaps that need to be addressed considering the transparency obligations outlined in the General Data Protection Regulation. Phase two explored user attitudes towards UK e-commerce privacy policies. Barriers to readership and heuristics are outlined along with perceived positive and negative characteristics of UK e-commerce privacy policies. Phase three examined user attitudes towards a layered prototype privacy policy revealing preferences for summary and full layered notices. Phase four demonstrated perceived ease of use and perceived efficiency differences in support of the prototype layered privacy policy compared to a typical privacy. In addition, findings highlighted user support for privacy policy standardisation. Findings from phases one to four are synthesised and evidence-based recommendations are made that are aimed at improving UK e-commerce privacy policies in the short and long term.