This study used confirmatory factor analysis on responses from a random sample of 459 New Zealanders to examine the theoretical basis of the concern for information privacy. The results were interpreted using two competing theories to explain differences found in the structural model of the construct when testing it with a non-US sample. Differences between US and New Zealand privacy protection approaches reflected cross-national differences in privacy concerns. The findings should contribute to our understanding of cross-national information privacy concerns and have implications for policy instrument choices.

Increased consumer concerns about organizational practices in the collection and management of personal data have resulted from several. Firstly, advances in information technology (IT) have produced efficiencies that have increased the value of personal information as a commodity for exchange [22]. Secondly, globalization has increased the need for cross-border data flows leading to concerns about different levels of protection and safeguards. Thirdly, legislation to improve privacy protection has often been enacted in reaction to surveys of consumer concern but has later been followed by legislation to decrease privacy in reaction to catastrophic events, such as the 9/11 terrorist attack. Finally, an increase in the exchange of information between public and private organizations [17] and the availability of new surveillance capabilities has contributed to consumer fears of misuse. The ease of collecting and accessing information over global networks has made information privacy concern an international issue, complicated by the variability in the way it is defined and protected by laws and policies across countries [5,15,23,39].

The purpose of my study was to examine the CFIP construct using a non-US sample to determine whether empirical evidence could be found to support Westin's control theory of privacy, upon which the construct is based. If a lack of individual control over one's information is not the only plausible explanation underlying privacy concerns, individual procedural controls for fair information practice (FIP), such as choice and consent, may be necessary but insufficient ways to justify and manage privacy. Different policy instruments (such as law, privacy-enhancing technologies, international agreements, administrative regulation, and organizational policies) are used in different countries. Different conceptualizations of the dynamic associations between individuals, public and private organizations, and IT are reflected in the current variety of approaches [2]. Cross-national and cultural differences in the way that privacy is defined may also reflect different underlying explanations for information privacy concern.

A 15-item instrument, hereafter referred to as the CFIP instrument was developed by Smith et al. in Ref. [37] as a way of measuring the multi-dimensional nature of consumer concern for information privacy (CFIP). The CFIP instrument was based on an extensive review of the privacy literature and the use of rigorous procedures to test its validity and reliability using samples of US graduate students. The CFIP instrument was designed to measure levels of consumer concern about organizational information privacy practices with respect to the four first-order factors or dimensions of CFIP shown in Table 1. Concerns about organizational practice, such as collection, errors, secondary use, and unauthorized access to personal information, represent aspects of consumer concern in terms of losing the ability to control the collection, handling, and use of personal information. The fair information practices (FIPS) displayed here are the five principles adopted by the US Federal Trade Commission: notice, choice, security, access, and enforcement. They are common to all major international codes.

Despite the recognition of FIPS in US laws and organizational policies, consumer privacy concerns remain high, as evidenced by recent Harris Interactive polls [19-21] and the Federal Trade Commission studies [13,14]. Similarly, in NZ complaints to the Privacy Commissioner rose 10% in 2001 from the previous year. The largest categories of complaints were in gaining access to personal information held by others (29.6%) and concerns over unauthorized disclosure (29.3%) [36]. Privacy concerns reported in NZ surveys were higher when the Internet was involved (e.g. 86% concerned or very concerned) but lower (e.g. 47% concerned or very concerned) when other issues, such as health care, the environment, and crime, were simultaneously considered. The 47% represented a drop from 68% concerned or very concerned in the 1994 Brian Steel Survey (cited in Ref. [42]).

Two recent international studies [26,27] using the CFIP instrument found that consumers in countries with moderate regulatory models (e.g. US and New Zealand) had greater privacy concerns than consumers in countries with either no regulation or very high regulation. Levels of concern were not significantly different between countries with moderate regulatory models. It was assumed that high regulation resulted in fewer privacy violations, leading to fewer incidents reported in the media and lower concern or else that in countries with low concern, there was little pressure by the public or advocacy groups. Both studies used relatively small per country samples (n = 706 spread over 30 countries; n = 595 spread over 20 countries). All participants belonged to the IS Audit and Control Association (IS ACA), resulting in a sample biased towards employed males with higher levels of education.

CFIP was represented as a reflective second-order factor, underlying the four CFIP dimensions in the findings of a recent study of US consumers (biased towards the more educated and affluent) [38]. This factor was interpreted as the common aspect of an individual's concern about losing control over his or her private information underlying concerns specific to each dimension. This interpretation was based on the "control theory" of privacy attributed to Westin [44], whose 1967 definition stated: "Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" (as opposed to the statement of Brandeis and Warren quoting Judge Cooley in 1890 that privacy was the right "to be let alone"). This definition reflects the individualist cultural model that prevails in North America [24]. Control is not separated from privacy in Westin's definition. The privacy as a control viewpoint has been widely used in recent studies, including [10,31]. Based on the control theory of privacy, I expected support for the following hypothesis:

This control theory has been criticized as confusing privacy with autonomy. Practically, it is impossible in today's world to have total control over personal information once it has been collected and dispersed [40]. A more recent, alternative view [28] is Moor's control/restricted ...