People share data on fitness apps but panic about Facebook. The so-called privacy paradox disappears once you realize the calculus includes factors researchers kept ignoring.
The number that bothered me this year was not a finding. It was a label. Somewhere in the IS literature, someone called it a paradox that people express high privacy concern and then disclose personal information anyway. The word "paradox" stuck. It showed up in paper titles, exam questions, conference panels. And every time I read it, the same thought hit me: there is no paradox. There is just a calculation that the researcher did not bother to model.
Malhotra et al. (2004) built the Internet Users' Information Privacy Concerns scale, and the structure of that instrument already hints at what is going on. IUIPC measures three things: collection, control, and awareness. Collection asks whether people feel their data is being gathered in ways they did not agree to. Control asks whether people feel they can decide how their data is used. Awareness asks whether people even know what is being collected and by whom. Notice what is missing from those three dimensions: nowhere does IUIPC ask whether people are irrational. It asks what people perceive about how their data is handled. The implication is that if you change the perceptions, you change the behavior. That is not paradoxical. That is just a person responding to their environment.
Then Dinev and Hart (2006) made the mechanism explicit. The privacy calculus says that when perceived benefits of disclosure exceed perceived risks, people disclose. When perceived risks dominate, they withhold. The word "perceived" is doing important work there. People are not weighing objective risk against objective benefit. They are weighing what they perceive, and perception is shaped by context, framing, trust, and the specific type of information being asked for. This is why someone will upload their heart rate to Strava without a second thought but will hesitate before giving their phone number to a grocery store loyalty program. The heart rate data feels controllable, the context feels familiar, the benefit feels immediate. The grocery store feels vague, the data use feels opaque, and the benefit is a discount on cereal.
Acquisti et al. (2015) took this further by showing three properties of privacy behavior that make strict rational-choice models uncomfortable: uncertainty, context-dependence, and malleability. Uncertainty means people often do not know what the real risks are, so they fill in the gaps with heuristics. Context-dependence means the same person who protects their email address from a random website will give it to a hotel desk without thinking. Malleability means small design changes, like the order of options or the default setting, change what people decide. Acquisti and colleagues were not saying people are irrational. They were saying the calculus is noisy, context-driven, and easily nudged. That is different from saying people are contradicting themselves.
When I put these three frameworks together, the "paradox" dissolves. Malhotra et al. gave us the dimensions of privacy concern. Dinev and Hart gave us the tradeoff mechanism. Acquisti et al. gave us the boundary conditions. The person who says they care about privacy and then clicks "accept all cookies" is not contradicting themselves. They are saying: the perceived benefit of immediate access to the website, right now, outweighs the vague, deferred, uncertain risk of some data being used somewhere for something I cannot specify. That is a rational decision made under uncertainty, not an irrational act that needs explaining.
The real-world evidence for this is everywhere. People share health data on fitness apps because the benefit is concrete: personalized training plans, progress tracking, community support. They panic about Facebook data because the benefit is vague and the risk narrative is vivid: Cambridge Analytica, microtargeting, political manipulation. Same person, different contexts, different calculations. That is not a paradox. That is IUIPC in action. The collection feels different. The control feels different. The awareness is different. GDPR did not stop cookie acceptance for the same reason. The regulation increased the awareness dimension by forcing disclosure, but it also created a ritual: you see the banner, you click accept, you move on. The benefit of instant access still outweighs the abstract risk of ad targeting. The calculus barely changed because the regulation addressed the wrong variable.
Smith et al. (2011) are useful here for a different reason. They argue, emphatically, that privacy is not the same thing as security, anonymity, secrecy, confidentiality, or ethics. Each of those is its own construct with its own antecedents and outcomes. Conflating privacy with any of them is a category error. When people say the privacy paradox shows that humans are bad at privacy, they are often comparing expressed privacy concern (a general attitude) with a specific disclosure behavior (a context-bound action), and they are often measuring concern using items that blend privacy with security or confidentiality. Smith et al.'s APCO model maps the flow from antecedents through privacy concerns to outcomes, and it operates at the organizational level, not the individual decision level. Using APCO to explain why someone clicked "accept all cookies" is like using a weather satellite to decide whether to bring an umbrella to class. Wrong level of analysis.
I think the persistence of the paradox label says more about researchers than about the people they are studying. If you measure privacy concern on a survey and then watch what people actually do, and you find a gap, you have two options. You can say people are irrational, which is convenient because it means your measurement is right and the human is wrong. Or you can say your measurement is incomplete, which is uncomfortable because it means you missed something. Malhotra et al. and Dinev and Hart and Acquisti et al. collectively show that what was missing was context, perceived benefit, uncertainty, and malleability. The gap closes when you add those variables back in.
There is a deeper connection here too. In CARE is Not About Privacy, I wrote about how Leidner and Tona (2021) reframe privacy through dignity rather than information control alone. The privacy calculus and CARE are complementary. The calculus explains the cognitive mechanism: people weigh perceived benefits against perceived risks in context. CARE explains what happens when that mechanism breaks down and dignity is affronted: when collection becomes surveillance, when control becomes illusion, when awareness becomes helplessness. The calculus tells you why someone clicks "accept." CARE tells you what that click costs them in terms of behavioral, meritocratic, or inherent dignity. Both lenses are needed. Neither one alone catches the whole picture.
The practical takeaway is that designing for privacy is not about making people more rational. It is about giving them better inputs for the calculus they are already doing. If the risk side is vague, people underweight it. If the benefit side is immediate and tangible, people overweight it. If you want different behavior, change the perceived risk clarity, change the control, change the awareness. That is what Malhotra et al. told us in 2004. We just kept calling it a paradox instead.
About the author
Share
More notes
Related notes