Information Sensitivity Typology: Mapping the Degree and Type of Risk Consumers Perceive in Personal Data Sharing

Surveys show significant public concern regarding information privacy. To better understand how consumer concerns vary by type of personal data, the authors created a typology of information types based on perceived associated risks. In a national consumer survey, 52 information types were analyzed along four perceived risk categories (physical, psychological, monetary, and social), consumers' overall sensitivity regarding the information, and their willingness to provide it. This resulted in six highly distinctive clusters--Basic Demographics, Personal Preferences, Contact Information, Community Interaction, Financial Information, and Secure Identifiers--organized around similarities in perceived risk profile. Additionally, consumer segmentation analysis shows rank order of cluster risk perceptions to be stable, even when perceived magnitude and overall risk propensities change by segment. This research advances the conversation from an outdated PII/non-PII framework to a more meaningful, consumer-based understanding of the perceived risks associated with different types of personal information. ********** Americans voice significant concerns about safeguarding their personal information. According to a recent Pew Research Center national survey, 91% of adults believe that consumers have "lost control" over how personal information is collected and used (Pew Research Center 2014). In just the past few years, Americans have witnessed major security breaches of private information at large corporations such as Target, Neiman Marcus, and Anthem. The media is replete with stories of individuals who have lost their reputations, their financial well-being, and even their lives due to unapproved access to personal information. The US government, no stranger to accusations of privacy invasion, regularly publishes reports exhorting federal agencies, companies, and other organizations to do all that they can to protect people's privacy (McCallister, Granee, and Scarfone 2010). Marketers, facing growing security threats and public policy concerns for protecting consumer privacy and hoping to build trust with consumers, are revisiting their practices regarding information safety. Earning trust requires marketers to learn and manage consumers' concerns and risk perceptions. Regarding public policy initiatives, there has recently been a call from the federal government to incorporate feedback from consumers themselves in this process. In 2014, FTC Commissioner Maureen Ohlhausen noted that for privacy research to inform public policy, it should "shed light on specific consumer attitudes and preferences regarding privacy choices," as well as provide "empirical evidence on how consumers perceive and understand privacy-related disclosures" (Ohlhausen 2014). Industry standards assert that information that is personally identifiable be considered most sensitive. Over the years, the US Department of Commerce's National Institute of Standards and Technology (NIST) has issued guidelines regarding what should be considered personally identifiable information (PII). However, as we will explore in greater detail, NIST has never supplied a clear listing of what is and is not PII. Many experts argue that the PII/non-PII distinction is meaningless anyway, given the ability of current reidentification algorithms to link seemingly innocuous data into something personally identifiable. The same is true regarding the definitions of PII supplied by other federal agencies such as the Department of Homeland Security (2012) and the Office of Management and Budget (Orszag 2010). Each has struggled to provide a precise definition of PII, which suggests the very concept of PII/non-PII has lost its usefulness. Replacing this paradigm is a move toward understanding how different types of information are related to each other in the information ecosystem, which is defined as the flows of different types of personal information among the producers, distributers, and users of the information in the marketplace (Federal Trade Commission 2012). …