Changing the default setting for information privacy protection: What and whose personal information can be better protected?

With Internet service providers (ISPs) increasingly demanding personal information to develop personalized services, people have become more vulnerable to privacy infringement. As a way to protect individuals' privacy, industrialized countries have implemented a "notice-and-consent" requirement, meaning an ISP must obtain users' consent to collect personal information in the course of the ISP's business. Drawing on prospect theory and earlier work on information privacy and behavioral science, in this study, we administered an online survey experiment to test whether the giving of consent differs between 'opt-in' and 'opt-out' frames. The framing effect was found to be moderated by personal information type, people's attitudes toward privacy, and people's privacy infringement experience. The results indicate that the opt-in frame better protects users' information privacy, and the framing effect is magnified when the targeted information concerns online activities, when users have weakly held privacy attitudes, and when users have less experience of privacy infringement.