Journal of Business Research 136 (2021) 63–75

Contents lists available at ScienceDirect

Journal of Business Research

journal homepage: www.elsevier.com/locate/jbusres

An exploratory and confirmatory composite analysis of a scale for

measuring privacy concerns
Deodat Mwesiumo a, *, Nigel Halpern b, Thomas Budd c, Pere Suau-Sanchez c, d, Svein Bråthen a
a
Faculty of Logistics, Molde University College – Specialized University in Logistics, Post Box 2110, 6402 Molde, Norway
b
Department of Marketing, Kristiania University College, Post Box 1190 Sentrum, 0107 Oslo, Norway
c
Centre for Air Transport Management, Cranfield University, MK43 0TR Bedfordshire, United Kingdom
d
Faculty of Business and Economics, Universitat Oberta de Calunya, Av. Tibidabo, 39-43, 08035 Barcelona, Spain

A R T I C L E I N F O A B S T R A C T

Keywords: This paper reports a confirmatory composite analysis of a scale for measuring privacy concerns, and the effect of
Privacy concerns scale privacy concerns on the willingness to provide personal data. The analysis is based on 468 survey responses,
Confirmatory composite analysis divided into two contexts: airport digital services and online retail services. Results from both contexts confirm
Partial least squares path modelling
that privacy concerns consist of a third-order construct comprising two-second order constructs (interaction
Airport management
Online retail
management and information management) and a first-order construct (awareness). The effect of privacy con­
cerns on the willingness to provide personal data is higher in the airport digital context than in the online retail
context. Also, the relevance of the three dimensions varies by context. Thus, researchers must carefully consider
their research context and include items for the most relevant dimensions of privacy concerns in measurement
models. Likewise, managers must prioritise dimensions of privacy concerns according to their business context.

1. Introduction across disciplines, providing a basis for the formulation and testing of its
probabilistic relations with other theoretical constructs. The validity of
Digital services provide opportunities to enhance customer experi­ evidence obtained from such research will partly depend on the effective
ences by offering more convenience and greater levels of person­ operationalisation of privacy concerns into specific, concrete and
alisation. However, the collection of customer data to enable such measurable indicators. Given its importance, there have been several
services has led to increased concerns regarding privacy. Indeed, privacy attempts to develop and test scales for the measurement of privacy
concerns resulting from the proliferation of digital services have become concerns in different contexts. Although existing studies provide valu­
one of the critical social-cultural issues of our time, and the implications able insights, there have been mixed findings. For instance, while some
of this from a consumer behaviour perspective have been noted by studies have identified privacy concerns as a second-order factor (e.g.
previous studies. For instance, Miltgen et al. (2016) found that privacy Smith et al., 1996; Malhotra et al., 2004), Buchanan et al. (2007) found
concerns reduce consumers’ intention to accept innovations in infor­ only one dimension, and Hong and Thong (2013) identified it as a third-
mation technology, while Jozani et al. (2020) found that privacy con­ order factor.
cerns result in reduced user engagement with social media-enabled The inconsistent findings of previous studies warrant further
applications. Oghazi et al. (2020) argue that as awareness regarding research to guide an effective and efficient measurement of privacy
privacy issues increases, customer concerns also rise, and may subse­ concerns in future studies, and this study contributes in three ways.
quently result in a greater unwillingness to disclose personal informa­ Firstly, it conducts a differentiated replication of Hong and Thong
tion. Wieringa et al. (2019) note that although data is considered the (2013), which among all previous studies, identifies the largest number
new oil of the economy, privacy concerns among consumers limit its full of privacy concerns dimensions and is the only one to identify privacy
potential. Since privacy concerns affect consumer behaviour, businesses concerns as a third-order factor. By replicating Hong and Thong (2013),
must take appropriate measures (Krishen et al., 2017). this study can also explore the validity of second-order and single-factor
As one of the most critical issues in this new decade (Meehan, 2019), modelling if third-order modelling turns out to be invalid. Hence, the
privacy concerns will continue to be an essential construct in research study responds to the call for a paradigm shift in business research from

* Corresponding author.
E-mail address: [email protected] (D. Mwesiumo).

https://doi.org/10.1016/j.jbusres.2021.07.027
Received 10 February 2021; Received in revised form 7 July 2021; Accepted 10 July 2021
Available online 23 July 2021
0148-2963/© 2021 The Author(s). Published by Elsevier Inc. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

testing for significant differences to testing for significant sameness expectations of how they should do it (Hong and Thong, 2013). Such
(Hubbard and Lindsay, 2013). Based on Uncles and Kwok (2013), this perceptions are subsequently related to attitudes and behaviours to­
study is a differentiated replication because it maintains the conceptual wards providing personal data to service providers. For instance,
framework used in Hong and Thong (2013) while deliberately changing Morosan (2018) finds that privacy concerns had a significant adverse
the methodological approach and context of the study. Thus, like Hong effect on travellers’ willingness to disclose biometric information at
and Thong (2013), six dimensions of privacy concerns are explored and airports. Interestingly, Goldfarb and Tucker (2012) found that refusals
confirmed. Unlike Hong and Thong (2013), a recently developed to disclose personal data has tended to rise over time, and that older
method, confirmatory composite analysis (CCA) (Hair et al., 2020), is people are less likely to disclose personal data than younger people.
applied to analyse data from 468 respondents in Norway, representing They argue that these observations are possibly related to increased
two different contexts: airport digital services and online business-to- experience with information technology (and a greater awareness of
consumer (B2C) retail services. As such, this study provides reliable potential privacy concerns), as well as a changing online population.
indicators that future research related to privacy concerns can use. They also observed an increase in the number of contexts in which
Secondly, since CCA requires an assessment of the relationship between consumers perceive privacy concerns to be relevant.
the focal construct and a potential antecedent and outcome variable, this
study tests the relationship between privacy invasion experience, pri­ 2.2. Measuring privacy concerns
vacy concerns and willingness to provide data. The results of the tests
contribute actionable insights for managers of airport and retail services. Privacy concerns constitute a central construct in studies related to
Thirdly, since this is among the first studies to apply CCA, it is hoped that privacy, and it has been measured in various ways. Considering the
it will serve as an essential reference for future studies that intend to various conceptions attached to privacy, Smith et al. (2011) observe
confirm other measurement scales. The advantages of conducting CCA, that measuring privacy itself is near impossible. Therefore, it is
as opposed to traditional factor analysis include: (1) the possibility to reasonable to conclude that the different approaches are partly due to
retain a higher number of items used to measure the construct, thus the various meanings attached to the concept of privacy. In other
improving content coverage and construct validity; (2) the availability words, since privacy is context-dependent, the measurement of it will
of determinant construct scores; (3) the possibility to apply to formative also depend on the context.
measurement models (Hair et al., 2020). More so, Benitez et al. (2020) Several studies have attempted to develop a scale for measuring
report the growing application of PLS-SEM in various fields of business privacy concerns (Table 1). Most of them use multiple dimensions,
research, thus the choice of conducting CCA using PLS-SEM seems meaning that they view it as a single theoretical concept comprised of
justifiable. two or more distinct but related dimensions. Examples of dimensions
include: (1) how personal information is collected; (2) errors in personal
2. Literature and conceptual framework data; (3) unauthorised secondary use of personal data; (4) improper
access of personal data by unauthorised people; (5) awareness of privacy
2.1. Privacy and privacy concerns practices; (6) control of personal data.
The number of dimensions identified varies by study. For instance,
Although the concept of privacy and the right to privacy have long Smith et al. (1996) identify four dimensions, while Malhotra et al. (2004)
been acknowledged (Moor, 1990), there remains no agreed definition. identify three. Intriguingly, Buchanan et al. (2007) found only one
Different disciplines such as management information systems, philos­ dimension despite including indicators related to various dimensions.
ophy, political science, law, psychology, marketing, and economics, Besides, while studies that view privacy concerns as a multi-dimensional
define privacy differently. Thus, privacy appears to be a context- construct mostly identify it as a second-order construct (where privacy
dependent, multi-dimensional and dynamic construct that evolves concerns comprise sub-constructs that are measured by observable in­
with technological advancements (Jozani et al., 2020). Smith et al. dicators), Hong and Thong (2013) identify it as a third-order construct
(2011) examine different approaches that have been used to define (that comprises second-order constructs that are further composed of
privacy in various disciplines and broadly classify privacy definitions as sub-constructs measured by observable indicators). Since Hong and
being either value-based or cognate-based. The value-based perspective Thong (2013) is the latest study to develop a privacy concerns scale, and
views privacy as a human right integral to society’s moral value system. the only one to identify it as a third-order construct, the approach taken
In contrast, the cognate-based perspective views privacy as a construct in this study is to conduct a differentiated replication of it.
related to the individual’s mind, perceptions, and cognition rather than Importantly, multi-dimensional constructs provide holistic repre­
an absolute moral value/norm. sentations of complex phenomena and allow researchers to match broad
Given its focus, this study embraces a definition of privacy that has predictors with broad outcomes (Edwards, 2001). Considering that
been widely adopted in the context of digital technologies. It refers to privacy concerns are based on a complex concept of privacy (Smith
privacy as an individual’s ability to control when, how, and to what et al., 2011), there is a strong case that privacy concerns should always
extent their personal information is used (Bélanger and Crossler, 2011; be measured using a multi-dimensional scale. As Polites et al. (2012)
Hong and Thong, 2013; Ioannou et al., 2020). This definition is suggest, it is critical to properly conceptualise and identify constructs’
consistent with the European Union’s General Data Protection Regula­ dimensions because analytical results will be influenced by how a
tion (GDPR) that views data privacy as people’s ability to control how measurement model is operationalised.
their data is used and who has access to it. According to GDPR Article 4, Against this backdrop, conducting a confirmatory analysis is justifi­
personal data refers to any piece of information related to an identified able. Previous studies have exclusively established scales for privacy
or identifiable person, including name, identification number, location concerns by confirming theoretical structures, particularly measurement
data and an online identifier to one or more factors specific to the models using confirmatory factor analysis (CFA). This process is both
physical, physiological, genetic, mental, economic, cultural or social qualitative and statistical (Hair et al., 2020). It involves examining the
identity of a person. The idea that privacy is not simply an absence of reliability of the individual indicators, construct reliability, face and
information about us in the minds of others, and that privacy is the content validity, convergent and discriminant validity, and Goodness of
control we have over information about ourselves, is not new (e.g., see Fit. The process allows researchers to evaluate multi-item constructs
Fried, 1968). based on common variance, and it is part of covariance-based structural
One aspect related to privacy that has attracted significant scholarly equation modelling (CB-SEM). Unlike the extant studies, this study ap­
attention is individuals’ privacy concerns. It refers to individuals’ per­ plies CCA, a recently proposed process for confirming PLS-SEM mea­
ceptions of how service providers handle personal data, contrary to their surement models. Like CFA, CCA aims to establish a measurement

64
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Table 1
Examples of measurements of privacy concerns.
Authors Context Measurement approach

Smith et al. (1996); Stewart and Individuals’ concerns about organisational Privacy concern as a second-order factor consisting of 4 first-order factors measured by
Segars (2002) information privacy practices 15 indicators
The first order factors
• Collection of personal information (four items)
• Errors in personal data (four items)
• Unauthorised secondary use of personal data (four items)
• Improper access to personal data by unauthorised people (three items)
Malhotra et al. (2004) Internet users’ concerns about the privacy of their Privacy concern as a second-order factor consisting of 3 first-order factors measured
information by10 indicators
The first order factors
• Control (three items)
• Awareness of privacy practices (three items)
• Collection of personal information (four items)
Buchanan et al. (2007) Internet users’ concerns about the privacy of their Privacy concern as a first-order factor measured by 16 indicators
information Examples of items
• In general, how concerned are you about your privacy while you are using the
internet?
• Are you concerned about online organisations not being who they claim they are?
• Are you concerned that you are asked for too much personal information when you
register or make online purchases?
• Are you concerned about online identity theft?
Hong and Thong (2013) Internet users’ concerns about the privacy of their Privacy concern as a third-order factor consisting of 2 second-order factors and 6 first-
information order factors.
Second-order factors
• Interaction management
• Information management

First-order factors
• Collection
• Secondary usage
• Errors
• Improper access
• Control
• Awareness

theory. It also begins by presenting theoretical constructs and proceeds 3. Methodology

to structural modelling after confirming the measurement models.
However, there are essential distinctions between CFA and CCA (Hair 3.1. Context and key constructs
et al., 2020). CFA is based on common variance only, while CCA is based
on total variance. Also, while CFA is confirmatory only, CCA is both The two contexts, digital services at airports and online retail ser­
exploratory and confirmatory. vices were used as a basis for the analysis. The goal was to explore the
relevance of privacy concerns dimensions in different contexts. For each
2.3. Nomological network context, respondents were asked to consider personal data requested for
additional digital services versus those that are mandatory. In the case of
Conducting CCA requires testing a nomological network of the focal airports, this might include receiving notifications about the journey (e.
variable. It involves formulating a conceptual framework that links the g. flight status, queue times) and related products and services (e.g.
focal construct to its potential antecedent and outcome variables. The public transport, car parking, “click and collect” shopping, food and
framework should be supported with results of previous research (Hair drink, lounge or fast-track security access); accessing customer services;
et al., 2020). The nomological network for this study was developed by joining and receiving information from a loyalty programme; and
linking the focal variable (privacy concerns) with previous exposure to making payments for products and services online or via a mobile
privacy invasion (as an antecedent factor) and willingness to provide application. For retail, it might include receiving information on related
personal data (as a potential outcome) (Fig. 1). products and services; tracking a delivery; accessing customer services;
As shown in Fig. 1, privacy invasion experience leads to increased joining and receiving information from a loyalty programme; and stor­
privacy concerns. The argument for this assertion is that privacy inva­ ing personal and/or payment details for future purchases.
sion provides knowledge that helps improve the ability to perceive A survey for each context was used to capture the nomological
threats in a particular situation and accurately evaluate factors in the network variables: privacy invasion experience, privacy concerns, and
environment that might incur a loss of privacy (Masur, 2019). The sig­ general willingness to provide personal data. Indicators for the three
nificance of the positive relationship between privacy invasion experi­ constructs were adopted from previous studies and modified to suit the
ence and privacy concerns is supported by extant empirical research (e. two contexts: airports and retail. Following Mwesiumo and Halpern
g. Yeh et al., 2018; Ioannou et al., 2020). As for the outcome variable, (2018), all indicators were measured on a 7-point Likert scale ranging
the framework shows that privacy concerns negatively affect the will­ from “strongly disagree” (1) to “strongly agree” (7) apart from the in­
ingness to provide personal data. The argument is that customers who dicator measuring willingness to provide personal data (WD), which was
are concerned about their privacy tend to protect themselves against on a scale ranging from “very unwilling” (1) to “very willing” (7). Pri­
exposure, among other things, by refraining from sharing personal data vacy concerns (PC) was operationalised as the extent to which an indi­
with service providers. The negative association between privacy con­ vidual is worried about various aspects related to privacy. We adopted
cerns and overall willingness to provide personal data is supported by an exhaustive list of privacy concerns dimensions in the extant litera­
empirical studies such as Zlatolas et al. (2015) and Morosan (2018). ture, as identified by Hong and Thong (2013). The dimensions are data

65
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Previous exposure to Willingness to provide

privacy invasion personal data

Privacy concerns

Fig. 1. Nomological network for privacy concerns.

to provide personal data (WD) was measured using a generalised

Table 2
statement based on Morosan (2018). Since willingness to provide per­
Constructs and items.
sonal data is a concrete attribute, measuring it by a single item is
Constructs Items justifiable (Bergkvist, 2016). Each construct (and dimension in the case
Privacy concerns (PC) of PC) and the items used in the survey to create them can be seen in
Collection (CO) CO1. It would bother me when I am asked for personal data Table 2.
CO2. I would think carefully before providing personal data
CO3. I am concerned that too much personal data is collected
Secondary usage SU1. I would be concerned that personal data I give for a 3.2. Data collection
(SU) specific purpose, might be used for other purposes
SU2. I would be concerned that personal data I give might be Data were collected using an online panel (see Fan et al., 2020;
shared with others without my authorisation
Kharouf et al., 2020 for recent studies that have also used this approach).
SU3. I would be concerned that personal data I give might be
sold to others without my authorisation Online panels provide fast and convenient access to a large pool of re­
Errors (ER) ER1. I would be concerned that personal data about me might spondents at a relatively low cost (Smith et al., 2016), and can be
be inaccurate crowdsourced or commercially maintained. In their analysis that
ER2. I would be concerned that procedures to correct errors in
compared data quality between crowdsourced and commercially
my personal data are inadequate
ER3. I would be concerned that too little time and effort is given
maintained panels, Smith et al. (2016) conclude that a commercial panel
to verify the accuracy of my personal data results in better quality data, most likely due to the vendor’s strict
Improper access IA1. I would be concerned that my personal data is not quality measures. Consequently, data for this study were collected from
(IA) sufficiently protected from unauthorised access a commercially maintained panel, which was provided by Qualtrics.
IA2. I would be concerned that too little time and effort is given
Qualtrics was also used as the online survey tool for this study.
to prevent unauthorised access to my personal data
IA3. I would be concerned that too few steps are taken to make Two separate surveys were developed, one for each context. The
sure that unauthorised people cannot access my personal data surveys began with questions used to screen respondents according to
Control (CR) CR1. I would be concerned that I do not have control over what three criteria. For the airport context, respondents had to have taken at
personal data I need to provide least one return flight during the last 24 months (24 months was used
CR2. I would be concerned that I do not have control over how
my personal data is collected, used and shared
instead of 12 months because of reduced travel during the coronavirus
CR3. I would be concerned that my personal data might be pandemic in the 12 months prior to conducting the survey). For the
altered or lost without me knowing about it retail context, respondents had to have purchased something from an
Awareness (AW) AW1. I would be concerned when a clear privacy policy is not online retailer during the last 12 months. For both contexts, respondents
given when providing personal data
had to be at least 18 years old and resident in Norway.
AW2. I would be concerned when I am not aware of how my
personal data will be used Representative quotas for Norway were then set according to age
AW3. I would be concerned when a clear explanation is not (18–24, 25–34, 35–44, 45–54, 55–64, 65+) and gender (male, female,
given about how my personal data is collected, processed, and non-binary or other). Text about each context (as explained in Section
used 3.1) and questions containing the items listed in Table 2 were then
Privacy invasion experience (PE) included with wording modified according to each context. The surveys
PE1. I believe my personal data (e.g. name, personal number, were initially written in English and translated to Norwegian. In addi­
address, telephone number or payment details) have been
tion to the authors, five Norwegians took part in a pre-test of each of the
monitored, searched, recorded, or stored at least once without
my permission surveys. Each survey was then piloted with 50-panel respondents before
PE2. I have had bad experiences with regards to the privacy of being approved for distribution. Data collection took place towards the
my personal data when using services online end of 2020. Any responses completed faster than 25% trimmed mean
PE3. I have been a victim of privacy invasion at least once in the
past as a result of using services online
Table 3
Willingness to provide personal data (WD) Respondent characteristics.
In general, I would be willing to provide personal data for
additional [digital services at airports] [online services with Airport context (n = 235) Retail context (n = 233)
retailers] Variable Response N % N %

Gendera Male 119 50.6 116 49.8

collection (CO), secondary usage (SU), errors (ER), improper access (IA), Female 116 49.4 117 50.2

control (CR), and awareness (AW). In addition to Hong and Thong Age 18–24 11 4.7 17 7.3
(2013), the phrasing of the indicators was also informed by other studies 25–34 30 12.8 26 11.2
(e.g. Smith et al., 1996; Malhotra et al., 2004; Ioannou et al., 2020). 35–44 41 17.4 38 16.3
45–54 60 25.5 49 21.0
Privacy invasion experience (PE) was operationalised as the extent to 55–64 54 23.0 56 24.0
which a respondent perceives their privacy was previously intruded. Its 65+ 39 16.6 47 20.2
measures are based on Li (2014) and Ioannou et al. (2020). Willingness a
No respondents selected the non-binary or other option.

66
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

completion time were excluded from the analysis to account for re­ structural model. Following Mwesiumo et al. (2019), the steps were
spondents who had deliberately rushed or completed the survey too carried out using PLS-SEM software SmartPLS 3.
quickly. We chose to use the 25% trimmed mean because it is equivalent Like Hong and Thong (2013), we modelled privacy concerns as a
to the interquartile mean, a measure of central tendency that shares third-order construct consisting of three dimensions: interaction man­
some properties of both the mean and the median. This ensured that agement (INTM), information management (INFM) and awareness
rushed responses were eliminated based on a robust measure of average (AW). Further, INTM consists of three first-order constructs: collection
completion time. Several more lenient thresholds were considered (5%, (CO), secondary usage (SU) and control (CR), while INFM consists of two
10% and 20%), and while they did improve the percentage of variation first-order constructs: improper access (IA) and errors (ER). Structurally,
in the target dependent variable, the direction and significance of the privacy concerns and its lower-order constructs were conceptualised as a
estimated coefficients remained unchanged, so the more robust reflective-reflective hierarchical component model. This is appropriate
threshold of 25% was used. The final sample size consisted of 468 ob­ because our goal is to determine the common factor of several related
servations (235 for the airport context and 233 for the retail context) but distinct reflective lower-order constructs (Sarstedt et al., 2019). We
(Table 3). The number of observations in each context is well above the applied the repeated indicators approach whereby all lower-order con­
sample size recommended for a statistical power of 80% in PLS-SEM structs’ items are assigned to the higher-order constructs’ measurement
(Hair et al., 2017). model. Thus, the items are used to generate primary loadings (for the
lower order constructs) and secondary loadings (for the higher-order
3.3. Data analysis constructs). We implemented the PLS algorithm and then, following
Hair et al. (2017), we executed a bootstrapping procedure with 5000
This study uses a CCA procedure for reflective measurement models runs. Results of the analysis for the two contexts are presented in Sec­
proposed by Hair et al. (2020). The procedure consists of seven steps: (1) tions 4 and 5.
estimate loadings and significance; (2) check indicator reliability; (3)
check composite reliability of the construct; (4) check convergence 4. Results from the airport context (Context A)
validity; (5) check discriminant validity; (6) check nomological validity
of the construct; (7) check predictive or concurrent validity of the In this context, CCA is conducted on the data collected from 235
construct. The first five steps help assess the quality of the measurement respondents. Fig. 2 presents the estimated nomological network and its
model. The last two steps are concerned with the relevance of the path coefficients. The results of the seven CCA steps follow.

Fig. 2. The estimated nomological network – Context A.

67
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Table 4 Table 4 (continued )

Results of the measurement model assessment – Airport context. Indicator Loading Confidence t-statistic Rho_A AVE
Indicator Loading Confidence t-statistic Rho_A AVE (IR)1 interval2
(IR)1 interval2
Privacy concerns
Collection (CO) (PC)
CO1 0.843 0.767–0.887 27.396*** 0.869 0.777 INFM 0.913 0.935–0.966 121.463*** 0.963 0.600
(0.702) (0.833)
CO2 0.896 0.855–0.924 50.963*** AW 0.813 0.749–0.870 26.860***
(0.801) (0.660)
CO3 0.904 0.885–0.927 87.269*** INTM 0.958 0.939–0.970 126.556***
(0.826) (0.918)

Secondary usage Willingness to

(SU) provide personal
SU1 0.951 0.924–0.967 86.754*** 0.947 0.903 data (WD)
(0.904) WD 1.000 NA^ NA^ 1.000 1.000
SU2 0.960 0.942–0.974 118.992*** (1.000)
(0.922) 1
Indicator reliability; 2 Bias corrected; *** Significant at p < 0.001; ^ Not
SU3 0.939 0.907–0.961 69.381***
(0.882) applicable: single item.

Errors (ER)
ER1 0.877 0.821–0.909 38.767*** 0.874 0.797 4.1. Step 1 and 2: Estimate loadings and check indicator reliability
(0.762)
ER2 0.923 0.886–0.947 60.567*** According to Hair et al. (2020), the value of standardised loadings
(0.852) should be at least 0.708 with an associated t-statistic of above ±1.96, for
ER3 0.878 0.829–0.913 42.569***
(0.771)
a two-tailed test at the 5% level. They also recommend checking the 95%
confidence intervals (bias-corrected) of the indicator loadings. As shown
Improper access
in Table 4, all indicator loadings were above the recommended
(IA)
IA1 0.938 0.914–0.958 85.539*** 0.934 0.884 threshold and significant at p < 0.01. The significance of the loadings is
(0.880) also confirmed by the corresponding 95% confidence intervals (bias-
IA2 0.928 0.890–0.951 59.091*** corrected). Indicator reliability is obtained by squaring a related
(0.861) loading. The loading values and their squared values (presented in
IA3 0.954 0.935–0.970 109.905***
(0.910)
brackets) suggest that all indicators are adequately reliable (Benitez
et al., 2020).
Control (CR)
CR1 0.862 0.810–0.906 35.554*** 0.890 0.808
(0.743)
CR2 0.935 0.912–0.952 90.768*** 4.2. Step 3 and 4: Check composite reliability and convergence validity
(0.874)
CR3 0.898 0.850–0.927 47.63*** Composite reliability was used to test the internal consistency of the
(0.806)
constructs, as recommended by Hair et al. (2020). For this approach,
Awareness (AW) Benitez et al. (2020) emphasize using a novel and effective measure,
AW1 0.881 0.820–0.925 33.323*** 0.907 0.839 Dijkstra–Henseler’s ρA (rho_A), with a threshold of ρA > 0.7. Hair et al.
(0.776)
AW2 0.934 0.903–0.955 71.517***
(2020) note that if reliability is 0.95 or higher, then individual items
(0.872) constituting a construct are redundant, meaning that they measure the
AW3 0.931 0.883–0.958 51.962*** same concept.
(0.867) As shown in Table 4, all rho_A values are well above the recom­
Privacy invasion mended threshold. However, the rho_A value for privacy concerns is
experience (PE) above 0.95, suggesting that at least one of the three dimensions
PE1 0.880 0.834–0.921 40.019*** 0.880 0.674 constituting it is redundant. Convergent validity is checked by evalu­
(0.774)
PE2 0.850 0.773–0.895 27.828***
ating the value of the average variance extracted (AVE) with the rec­
(0.723) ommended threshold being AVE > 0.5. Convergence validity for all
PE3 0.726 0.572–0.816 11.567*** constructs is established as the observed AVE values are above 0.5.
(0.527)

Information
management 4.3. Step 5: Check discriminant validity
(INFM)
IA 0.934 0.915–0.950 106.769*** 0.922 0.712
Discriminant validity is the extent to which a construct is distinct
(0.872)
ER 0.906 0.780–0.886 31.379*** from other constructs in the conceptual model (Hair et al., 2017). Hair
(0.820) et al. (2020) and Benitez et al. (2020) recommend determining
Interaction
discriminant validity using the heterotrait-monotrait ratio of correla­
management tions (HTMT). The recommended thresholds are less than 0.90 for
(INTM) conceptually similar constructs, and less than 0.85 for constructs that
CO 0.876 0.825–0.908 41.864*** 0.943 0.674 are not conceptually similar. The results in Table 5 show that all HTMT
(0.767)
values are below the recommended thresholds, confirming that each of
SU 0.929 0.885–0.952 56.989***
(0.863) the identified constructs is distinct from the others. Therefore, consistent
CR 0.897 0.862–0.924 57.745*** with Hong and Thong (2013), our results support modelling privacy
(0.804) concerns as a third-order construct consisting of two second-order
constructs (information management and interaction management)
and one first-order construct (awareness).

68
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Table 5
HTMT values for the constructs – Airport context.
AW CO CR ER IA INFM INTM PE SU PC

CO 0.624
CR 0.751 0.762
ER 0.555 0.536 0.748
IA 0.765 0.697 0.898 0.768
INFM 0.716 0.706 0.891 NA NA
INTM 0.762 NA NA 0.704 0.86 0.884
PE 0.410 0.376 0.504 0.478 0.461 0.511 0.473
SU 0.722 0.798 0.823 0.655 0.777 0.819 NA 0.424
PC NA NA NA NA NA NA NA NA NA
WD 0.398 0.685 0.499 0.303 0.469 0.445 0.597 0.256 0.476 NA

NA: Not applicable because one constitutes the other.

Table 6
Results of the structural models estimation – Airport context.
Path Coefficient Std. Error P Values f2 VIF R2 Q2
a L
Model 1 PC-WD − 0.521 0.065 0.000*** 1.956 1.324 0.277 0.256
PE-WD − 0.010 0.072 0.885ns 0.000N
PE-PC 0.495 0.048 0.000*** 0.324M 0.245 0.144
b M
Model 2 PC-WD − 0.547 0.062 0.000*** 0.337 1.283 0.306 0.285
PE-WD − 0.012 0.068 0.861ns 0.000N
PE-PC 0.470 0.050 0.000*** 0.283M 0.221 0.137

Model 3c PC-WD − 0.530 0.065 0.000*** 0.297M 1.322 0.285 0.264

PE-WD − 0.007 0.071 0.922ns 0.000N
PE-PC 0.494 0.049 0.000*** 0.322M 0.244 0.148

Model 4d PC-WD − 0.398 0.068 0.000*** 0.150M 1.307 0.193 0.170

PE-WD − 0.074 0.077 0.333ns 0.005N
PE-PC 0.485 0.050 0.000*** 0.307M 0.235 0.147

Model 5e PC -WD − 0.573 0.058 0.000*** 0.385L 1.269 0.331 0.311

PE-WD − 0.006 0.067 0.923ns 0.000N
PE-PC 0.461 0.051 0.000*** 0.269M 0.212 0.141
a b c d e
complete scale; information management excluded; awareness excluded; interaction management excluded; information management and awareness excluded;
*** significant at p < 0.001; ns Not significant; L large effect; M medium effect; N no effect.

4.4. Step 6 and 7: Check nomological and concurrent validity of the reliable predictions of the willingness to provide personal data for
construct additional services. The Stone–Gaisser’s Q2 values for the willingness to
provide personal data confirm that privacy concerns are a relevant
Assessing the nomological network further helps to determine the predictor of willingness to provide personal data for additional digital
validity of the focal construct. It is performed by correlating each services at airports. Overall, nomological and concurrent validity of the
construct score with other constructs (concepts) in a conceptual model. scale for measuring privacy concerns are established.
Concurrent validity assesses the extent to which a construct score pre­
dicts scores on some criterion measure. We checked nomological and 4.5. Exploring the role of privacy concerns dimensions in the airport
concurrent validity of privacy concerns by estimating the structural context
model that links it to a potential antecedent factor (privacy invasion
experience) and an outcome variable (willingness to provide data). The analysis in Section 4.1 reveals that at least one of the three di­
Model 1 in Table 6 shows the results where a complete scale is used. mensions constituting privacy concerns is redundant. This section ex­
Evaluation of the structural model should begin with the assessment plores the observed redundancy by excluding interaction management,
of collinearity. As shown in Table 6, the observed value of VIF is well information management and awareness from the model, one at a time,
below 3, indicating the absence of collinearity problems (Hair et al., and then examining the resulting R2 for the target variable (willingness
2020). Next is the assessment of the size and significance of path co­ to provide personal data) and the change in the path coefficient of the
efficients. The results show that privacy concerns are significantly relationship between privacy concerns and the willingness to provide
associated with reduced willingness to provide personal data for addi­ personal data. Model 2, 3 and 4 in Table 6 show results after excluding
tional digital services at airports, the effect size being large. Likewise, information management, awareness, and interaction management,
privacy invasion experience is significantly related to increased privacy respectively.
concerns, but the effect size is medium. Following Zhao et al. (2010), we The results suggest that either awareness or information manage­
also assessed the direct effect of privacy invasion experience on the ment can be excluded from the privacy concerns measurement model
willingness to provide personal data. The observed insignificant effect without substantially changing the percentage of explained variation in
suggests that air passengers only become less willing to provide personal the willingness to provide personal data. Compared to the complete
data for additional services at airports if their past privacy invasion led model (Model 1: R2 = 0.277; path coefficient = − 0.521), the observed
to increased privacy concerns. A structural model’s predictive relevance change in path coefficient when excluding information management is
is evaluated by assessing the value of Stone–Gaisser’s Q2. It is estab­ not significant at p < 0.1 (Model 2) (path coefficient changes to − 0.547,
lished when Q2 is greater than zero, suggesting that the model makes p ≈ 0.337). Insignificant change in path coefficient is also observed

69
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

when awareness is excluded (Model 3) (path coefficient changes to corresponding 95% confidence intervals (bias-corrected). The loading
− 0.530; p ≈ 0.444). However, excluding interaction management values and their squared values (presented in brackets) suggest that all
(Model 4) resulted in a substantial decline in R2 (from 0.277 to 0.193), indicators are adequately reliable.
and the observed change in path coefficient (from − 0.521 to − 0.398) is
significant at p < 0.05 (p ≈ 0.036). This observation prompted further 5.2. Step 3 and 4: Check composite reliability and convergence validity
analysis to examine the effect of excluding awareness and information
management (Model 5). Compared to Model 1, the change in the path As shown in Table 7, all rho_A values are well above the recom­
coefficient is not significant at p < 0.1 (from − 0.521 to − 0.547; p ≈ mended threshold (c.f. Section 4.2). However, as in Context A, the rho_A
0.19). Indeed, R2 substantially increases (from 0.277 to 0.331). To value for privacy concerns is above 0.95, suggesting that at least one of
conclude, interaction management seems to be the most important the three dimensions constituting it is redundant. Likewise, convergence
dimension of privacy concerns when predicting passengers’ willingness validity for all constructs is established as the observed AVE values are
to provide personal data for additional digital services at airports. above 0.5.

5. Results from the B2C retail context (Context B)

5.3. Step 5: Check discriminant validity

In this context, we follow the same steps as in Context A, except that

The results in Table 8 show that all HTMT values are below the
we use a different dataset and a different context. According to Uncles
recommended thresholds (c.f. Section 4.3), confirming that each of the
and Kwok (2013) classification, the analysis conducted in this context is
identified constructs is distinct from the others. Therefore, as in Context
a close replication of the first context because the conceptual and
A, our results support modelling privacy concerns as a third-order
methodological domains are held constant while the context is changed.
construct consisting of two second-order constructs (information man­
Thus, CCA is conducted on a different dataset consisting of 233 re­
agement and interaction management) and one first-order construct
spondents. Fig. 4 presents the estimated nomological network and its
(awareness).
path coefficients. The results of the CCA steps follow.

5.4. Step 6 and 7: Check nomological and concurrent validity of the

5.1. Step 1 and 2: Estimate loadings and check indicator reliability construct

As shown in Table 7, as in Context A, all indicator loadings were As in Context A, we checked nomological and concurrent validity of
above the recommended threshold (c.f. Section 4.1) and significant at p privacy concerns by estimating the structural model that links it to a
< 0.01. The significance of the loadings is also confirmed by the potential antecedent factor (privacy invasion experience) and an

Fig. 4. The estimated nomological network – Context B.

70
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Table 7 Table 7 (continued )

Results of the measurement model assessment - Retail context. Indicator Loading Confidence t-statistic Rho_A AVE
Indicator Loading Confidence t-statistic Rho_A AVE (IR)1 interval2
(IR)1 interval2
Privacy concerns
Collection (CO) (PC)
CO1 0.821 0.742–0.872 25.116*** 0.811 0.715 INFM 0.925 0.935–0.966 78.975*** 0.962 0.591
(0.674) (0.937)
CO2 0.852 0.789–0.893 32.718*** AW 0.809 0.749–0.870 22.938***
(0.726) (0.654)
CO3 0.863 0.804–0.900 36.702*** INTM 0.968 0.939–0.970 188.525***
(0.745) (0.856)

Secondary usage Willingness to

(SU) provide personal
SU1 0.943 0.921–0.959 99.575*** 0.932 0.879 data (WD)
(0.889) WD 1.000 NA^ NA^ 1.000 1.000
SU2 0.935 0.886–0.962 50.639*** (1.000)
(0.874) 1
Indicator reliability; 2 Bias corrected; *** Significant at p < 0.001; ^ Not
SU3 0.936 0.899–0.960 61.744***
(0.876) applicable: single item.

Errors (ER)
ER1 0.853 0.794–0.894 34.003*** 0.876 0.790 outcome variable (willingness to provide data). Model 1 in Table 9
(0.728) shows the results where a complete scale is used.
ER2 0.925 0.899–0.942 84.973*** As shown in Table 9, the observed value of VIF is well below 3,
(0.856) indicating, as in Context A, the absence of collinearity problems. Next is
ER3 0.887 0.858–0.909 68.357***
(0.787)
the assessment of the size and significance of path coefficients. As in
Context A, the results show that privacy concerns are significantly
Improper access
associated with reduced willingness to provide personal data for addi­
(IA)
IA1 0.933 0.906–0.953 79.742*** 0.938 0.889 tional online retail services, the effect size being large. Likewise, privacy
(0.870) invasion experience is significantly related to increased privacy con­
IA2 0.956 0.938–0.969 121.326*** cerns, but the effect size is medium. As in Context A, the direct effect of
(0.914) privacy invasion experience on the willingness to provide personal data
IA3 0.939 0.902–0.961 63.685***
(0.882)
is insignificant. This observation suggests that customers of online re­
tailers, like air passengers, only become less willing to provide personal
Control (CR)
data for additional services if their past privacy invasion led to increased
CR1 0.871 0.810–0.913 33.326*** 0.867 0.784
(0.759)
privacy concerns. The Stone–Gaisser’s Q2 values for the willingness to
CR2 0.899 0.865–0.923 60.768*** provide personal data confirm that privacy concerns are a relevant
(0.808) predictor of willingness to provide personal data for additional online
CR3 0.886 0.841–0.918 45.188*** retail services. Overall, as in Context A, nomological and concurrent
(0.785)
validity of the scale for measuring privacy concerns are established.
Awareness (AW)
AW1 0.871 0.794–0.913 30.096*** 0.890 0.816
(0.759)
AW2 0.922 0.882–0.948 56.878***
5.5. Exploring the role of privacy concerns dimensions in the online retail
(0.850) context
AW3 0.915 0.874–0.943 54.029***
(0.837) The analysis in Section 4.2 reveals that at least one of the three di­
Privacy invasion mensions constituting privacy concerns is redundant. As in Context A,
experience (PE) this section explores the observed redundancy by excluding interaction
PE1 0.863 0.782–0.935 22.944*** 0.873 0.964 management, information management and awareness from the model,
(0.745)
one at a time, and then examining the resulting R2 for the target variable
PE2 0.862 0.748–0.908 22.065***
(0.743) (willingness to provide personal data) and the change in the path coef­
PE3 0.776 0.597–0.855 12.577*** ficient of the relationship between privacy concerns and willingness to
(0.602) provide personal data. Model 2, 3 and 4 in Table 9 show results after
Information excluding information management, awareness, and interaction man­
management agement, respectively.
(INFM) The results suggest any of the three factors (interaction management,
IA 0.933 0.915–0.950 113.524*** 0.922 0.707
awareness, or information management) can be excluded from the pri­
(0.870)
ER 0.902 0.780–0.886 60.327*** vacy concerns measurement model without substantially changing the
(0.814) percentage of explained variation in the willingness to provide personal
Interaction
data (R2). Compared to the complete model (Model 1: R2 = 0.137; path
management coefficient = − 0.381), the observed change in path coefficients is not
(INTM) significant at p < 0.1 (p ≈ 0.437 when excluding awareness; p ≈ 0.442
CO 0.884 0.825–0.908 48.229*** 0.933 0.639 when excluding information management; p ≈ 0.500 when excluding
(0.781)
interaction management). This observation is different from Context A,
SU 0.935 0.885–0.952 98.591***
(0.874) where interaction management turned out to be a decisive factor in
CR 0.872 0.862–0.924 42.114*** determining willingness to provide personal data for additional digital
(0.760) services at airports. Thus, further analysis was conducted to examine the
effect of excluding two dimensions at a time. Model 4, 5 and 6 in Table 9
show the results of excluding information management and awareness,

71
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Table 8
HTMT values for the constructs – Retail context.
AW CO CR ER IA INFM INTM PE SU PC

CO 0.803
CR 0.733 0.752
ER 0.542 0.674 0.776
IA 0.744 0.782 0.846 0.752
INFM 0.702 0.792 0.881 NA NA
INTM 0.803 NA NA 0.758 0.896 0.900
PE 0.221 0.304 0.426 0.355 0.386 0.402 0.414
SU 0.704 0.879 0.795 0.658 0.854 0.824 NA 0.412
PC NA NA NA NA NA NA NA NA NA
WD 0.271 0.442 0.307 0.267 0.367 0.346 0.392 0.113 0.348 NA

NA: Not applicable because one constitutes the other.

Table 9
Results of the structural models estimation – Retail context.
Path Coefficient Std. Error P Values f2 VIF R2 Q2
a L
Model 1 PC-WD − 0.381 0.070 0.000*** 1.985 1.177 0.137 0.114
PE-WD − 0.033 0.075 0.665ns 0.001N
PE-PC 0.388 0.058 0.000*** 0.177M 0.150 0.088
b S
Model 2 PC-WD − 0.371 0.071 0.000*** 0.137 1.159 0.133 0.113
PE-WD 0.020 0.018 0.790ns 0.000N
PE-PC 0.371 0.057 0.000*** 0.159M 0.138 0.083

Model 3c PC-WD − 0.392 0.069 0.000*** 0.149S 1.196 0.141 0.117

PE-WD 0.045 0.074 0.550ns 0.000N
PE-PC 0.404 0.059 0.000*** 0.196M 0.164 0.099
d S
Model 4 PC-WD − 0.380 0.070 0.000*** 0.142 1.176 0.136 0.113
PE-WD − 0.032 0.074 0.668ns 0.001N
PE-PC 0.387 0.059 0.000*** 0.176M 0.150 0.088
e M
Model 5 PC-WD − 0.393 0.068 0.000*** 0.152 1.188 0.143 0.123
PE-WD 0.041 0.072 0.567ns 0.002N
PE-PC 0.398 0.057 0.000*** 0.188M 0.158 0.099

Model 6f PC-WD − 0.339 0.071 0.000*** 0.111S 1.162 0.111 0.084

PE-WD 0.015 0.077 0.848ns 0.002N
PE-PC 0.374 0.063 0.000*** 0.162M 0.140 0.097

Model 6g PC-WD − 0.246 0.069 0.000*** 0.062S 1.059 0.074 0.084

PE-WD − 0.071 0.068 0.365ns 0.005N
PE-PC 0.236 0.063 0.001*** 0.059S 0.056 0.097
a b c d e
complete scale; information management excluded; awareness excluded; interaction management excluded; information management and awareness excluded;
f
interaction management and awareness excluded; g information management and interaction management excluded; *** significant at p < 0.001; ns not significant; L
large effect; M medium effect; N no effect.

interaction management and awareness, and information management approach – CCA (Hair et al., 2020). Following the in-built replication
and interaction management, respectively. logic (Uncles and Kwok, 2013), the study is based on two different
The results show that excluding awareness and either information or datasets representing two different contexts: airport digital services and
interaction management does not significantly change the path coeffi­ online retail services. The results provide actionable research and
cient at p < 0.1 (p ≈ 0.431 when information management and managerial implications.
awareness are excluded; p ≈ 0.275 when interaction management and In terms of research implications, the results from both contexts are
awareness excluded). Compared to the complete model, the change in consistent with Hong and Thong (2013) as they confirm that privacy
R2 is also not substantial. However, excluding both information and concerns constitute a third-order construct comprising two-second order
interaction management results in a significant decline in the path co­ constructs (interaction management and information management) and
efficient at p < 0.05 (p ≈ 0.028), and a considerable change in R2 a first-order construct (awareness). Interestingly, the effect of privacy
compared to the complete model (from 0.137to 0.074). To conclude, concerns on the willingness to provide data for additional services varies
information and interaction management seem to be the most important by context. While the complete model explained about 28% of the
dimensions of privacy concerns when accounting for customers’ will­ variation in willingness to provide data in the airport context, it only
ingness to provide personal data for additional services with online explained about 14% in the retail context. This is consistent with pre­
retailers. vious research that highlights the importance of context (e.g. Bansal
et al., 2016). Besides, it appears that the relative importance of the three
6. Discussion dimensions (interaction management, information management and
awareness) also varies by context. In this study, interaction management
This study conducted CCA on a scale for measuring privacy concerns. is the most critical dimension in determining passengers’ willingness to
The insights provided are important, especially now that privacy con­ provide personal data for additional digital services at airports. In
cerns have become a critical factor in digital business research and contrast, in the online retail context, any of the three dimensions can be
management. The study has extended earlier efforts to develop a scale excluded from the scale without causing a substantial change in the
for measuring privacy concerns by applying a recently developed explanation of the willingness of shoppers to provide personal data for

72
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

additional services from online retailers. However, further analysis with using them are significantly higher among foreigners versus those
suggested that the percentage of explanation on the willingness to pro­ that live in the country of the airport that they are using – possibly
vide personal data remained almost intact in the online retail context reflecting a greater level of trust and/or willingness to provide personal
when only interaction management or information management were data to airports in one’s own country compared to those in other
the sole dimensions in the scale. This was not the case for awareness. countries. In addition, when segmenting those same passengers, Halpern
These findings have implications for managers of airport digital services et al. (2021b) revealed three main groups: those that prefer to use
and online retail services, respectively. traditional manual processes (such as with staff at a check-in desk),
For airport managers, the results suggest that privacy concerns those that prefer automated technology-based processes (such as a self-
matter more in their context compared to the online retail context – service check-in kiosk), and those that prefer more personalised
revealing twice as much effect on the willingness to provide data for technology-based processes (such as using biometrics to check-in for
additional services. Therefore, as airports continue to embrace digital their flight). The group that prefers more traditional manual processes,
transformation (Halpern et al. 2021a), they need to address privacy is­ which consists mainly of infrequent leisure travellers, is most concerned
sues even more than their online retail counterparts. Three concerns about data privacy at airports, while the group that prefers more per­
comprising interaction management are the most critical: the amount of sonalised processes, which consists mainly of frequent business travel­
data collected and how it is collected, the use of data for other purposes, lers, is least concerned. The group that prefers automated technology-
and loss of control on the data provided. Thus, as the range of additional based processes is somewhere in-between. It is quite possible that
digital services at airports increases (Halpern et al. 2020a), managers similar differences exist in other contexts, including online retail, where
should carefully consider the type and amount of data requested from privacy concerns are determined by the extent to which the user trusts
passengers for additional services, how they collect it, and the extent to and/or is familiar with the service provider that they are using, the
which they provide them with adequate control of their data. While the frequency with which they use the service, and the types of products or
other aspects (preventing improper access, informing passengers about services that they are using. There is certainly scope for more research in
personal data policies, and maintaining accurate data) are also impor­ this area.
tant, interaction management aspects should be prioritised. As for Similarly, data collection took place in Norway and while the overall
managers of online retail services, the type and amount of data findings of this study are expected to be transferable to other countries,
requested for additional services, how it is collected, customers’ control there might be differences depending on the nationality of respondents.
of their data, preventing improper access, and maintaining accurate For instance, Norway is a country that is highly ranked on the European
data, should be prioritised. Given that the effect of the dimensions of Commission’s Digital Economy and Society Index (EC, 2020), meaning
privacy concerns on the willingness to provide data for additional ser­ that the country has a higher integration of digital technologies
vices varies by context, managers working in other business contexts compared to most other countries in Europe. This may therefore result in
where personal data are used, should consider examining the relative a greater willingness among Norwegians to provide personal data for
importance of each of the dimensions and subsequently prioritise those digital services compared to respondents of countries that are less highly
that are most important to the specific context of their business. ranked in terms of digital progress.
For researchers who investigate issues related to privacy concerns,
the findings of this study imply that they should carefully select in­ 7. Conclusion
dicators of privacy concerns, depending on the research context in
question. The common practice among researchers that include privacy This study has confirmed a scale for measuring privacy concerns that
concerns in their conceptual models is to measure it as a unidimensional constitutes a third-order construct comprising two second-order con­
construct, using a few items (e.g., Zlatolas et al., 2015; Morosan, 2018; structs (interaction management and information management) and a
Palos-Sanchez et al., 2019). Although this practice helps to shorten a first-order construct (awareness). To the best of our knowledge, it is one
questionnaire, the findings of this study suggest that it should be care­ of the first studies to apply CCA – a recently proposed process for con­
fully considered because it may lead to invalid results, especially when firming PLS-SEM measurement models (Hair et al. 2020). Thus, besides
the indicators do not include the most critical dimension(s) of privacy confirming the privacy concerns scale, this paper also provides a valu­
concerns for a given context. The findings of this study also provide a able reference for future research that uses CCA to evaluate other
potential explanation for mixed results in past research related to pri­ measurement scales. As the findings of this study show consistent reli­
vacy concerns, which was recognised as an issue in the introduction and ability scores in two different contexts (airport digital services and on­
literature review of this paper. For instance, recently, Ioannou et al. line retail services), future research related to privacy concerns should
(2020) found that privacy concerns positively affect the willingness to consider adopting and using the scale in this study in other contexts, and
share behavioural information. This observation is contrary to common control for respondent characteristics (which was not done in this
sense and the findings of previous research. They argued that the posi­ study), given the effect that these might have on privacy concerns.
tive effect was most likely due to the privacy paradox, meaning that The findings of this study also offer valuable insights for managers
individuals concerned about privacy would still be willing to share because they suggest that the effect of privacy concerns varies by
personal information given that they would gain something in return. context. This study included six dimensions of privacy: the data collec­
While this explanation is partly sensible, our results offer another tion, the use of data for other purposes, loss of control, improper access,
possible explanation. Since previous studies related to privacy concerns information about personal data policies, and maintaining accurate
have been conducted in different contexts, mixed results might also be data. While all six of the dimensions are shown to be important, the
due to inadequate measurement caused by shortened scales. Thus, if findings of this study also reveal significant differences in the relative
researchers choose to use a shorter scale of privacy concerns, they must importance of them in each context. Thus, managers will need to pri­
carefully consider their research context and include items of the most oritise those that are most important to the specific context of their
relevant dimensions of privacy concerns. This consideration is vital as business.
the number of digital service contexts, where personal data are Although this study has confirmed a multi-dimensional scale for
requested, is growing. measuring privacy, researchers that include privacy concerns in their
A limitation of this study is that it does not consider individual conceptual models tend to prefer a unidimensional scale. Besides, there
characteristics of the consumer because in addition to differences by has been intense debate in the literature over the validity of single-item
context, there might also be differences by consumer. For instance, when scales (e.g. Sarstedt et al., 2016; Bergkvist, 2016). It appears that there is
investigating passenger preferences for using digital technologies at consensus that a carefully crafted single item can be used depending on
airports, Halpern et al. (2020b) found that privacy concerns associated the nature of the construct being measured. An interesting avenue for

73
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

future research is to assess the efficacy of carefully crafted unidimen­ Li, Y. (2014). The impact of disposition to privacy, website reputation and website
familiarity on information privacy concerns. Decision Support Systems, 57(1),
sional multi-item and single-item scales of privacy concerns versus a
343–354.
multi-dimensional scale that has been confirmed in this study. Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users’ information privacy
concerns (iuipc): The construct, the scale, and a causal model. Information Systems
Research, 15(4), 336–355.
Declaration of Competing Interest
Masur, P. K. (Ed.). (2019). Situational Privacy and Self-Disclosure. Cham: Springer
International Publishing.
The authors declare that they have no known competing financial Meehan, M., 2019. Data privacy will be the most important issue in the next decade.
Forbes. Available at: https://www.forbes.com/sites/marymeehan/2019
interests or personal relationships that could have appeared to influence
/11/26/data-privacy-will-be-the-most-important-issue-in-the-next-decade/#369
the work reported in this paper. 4c28f1882.
Miltgen, C. L., Henseler, J., Gelhard, C., & Popovič, A. (2016). Introducing new products
Acknowledgement that affect consumer privacy: A mediation model. Journal of Business Research, 69
(10), 4659–4666.
Moor, J. H. (1990). The ethics of privacy protection. Library Trends, 39, 69–82.
This paper is part of a project funded by the Research Council of Morosan, C. (2018). Information disclosure to biometric e-gates: The roles of perceived
Norway on digital capabilities at airports, project number 283349. It is security, benefits, and emotions. Journal of Travel Research, 57(5), 644–657.
Mwesiumo, D., & Halpern, N. (2018). Acquiescence and conflict in exchanges between
an international collaboration between Kristiania University College inbound tour operators and their overseas outbound partners: A case study on
and Molde University College in Norway, and Cranfield University in the Tanzania. Tourism Management, 69(December), 345–355.
United Kingdom. Avinor who operate 44 airports in Norway are an in­ Mwesiumo, D., Halpern, N., & Buvik, A. (2019). Effect of detailed contracts and partner
irreplaceability on interfirm conflicts in cross-border package tour operations:
dustry partner to the project. Inbound tour operatoŕs perspective. Journal of Travel Research, 2, 298–312.
Oghazi, P., Schultheiss, R., Chirumalla, K., Kalmer, N. P., & Rad, F. F. (2020). User self-
References disclosure on social network sites: A cross-cultural study on facebook’s privacy
concepts. Journal of Business Research, 112(May), 531–540.
Palos-Sanchez, P., Saura, J. R., & Martin-Velicia, F. (2019). A study of the effects of
Bansal, G., Zahedi, F. M., & Gefen, D. (2016). Do context and personality matter? Trust
programmatic advertising on users’ concerns about privacy overtime. Journal of
and privacy concerns in disclosing private information online. Information &
Business Research, 96(March), 61–72.
Management, 53, 1–21.
Polites, G. L., Roberts, N., & Thatcher, J. (2012). Conceptualising models using
Bélanger, F., & Crossler, R. E. (2011). Privacy in the igital age: A review of information
multidimensional constructs: A review and guidelines for their use. European Journal
privacy research in information systems. MIS Quarterlys, 35(4), 1017–1041.
of Information Systems, 21(1), 22–48.
Benitez, J., Henseler, J., Castillo, A., & Schuberth, F. (2020). How to perform and report
Sarstedt, M., Diamantopoulos, A., Salzberger, T., & Baumgartner, P. (2016). Selecting
an impactful analysis using partial least squares: Guidelines for confirmatory and
single items to measure doubly concrete constructs: A cautionary tale. Journal of
explanatory IS research. Information and Management, 57(2), Article 103168.
Business Research, 69(8), 3159–3167.
Bergkvist, L. (2016). The nature of doubly concrete constructs and how to identify them.
Sarstedt, M., Hair, J. F., Cheah, J.-H., Becker, J.-M., & Ringle, C. M. (2019). How to
Journal of Business Research, 69(9), 3427–3429.
specify, estimate, and validate higher-order constructs in PLS-SEM. Australasian
Buchanan, T., Paine, C., Joinson, A. N., & Reips, U.-D. (2007). Development of measures
Marketing Journal, 27(3), 197–211.
of online privacy concern and protection for use on the Internet. Journal of the
Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An
American Society for Information Science and Technology, 58(2), 157–165.
interdisciplinary review. MIS Quarterly, 35(4), 989–1015.
EC (European Commission). (2020). Digital Economy and Society Index 2020: Norway.
Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring
Brussels, EC.
individuals’ concerns about organisational practices. MIS Quarterly, 20(2), 167–196.
Edwards, J. R. (2001). Multidimensional constructs in organizational behavior research:
Smith, S. M., Roster, C. A., Golden, L. L., & Albaum, G. S. (2016). A multi-group analysis
An integrative analytical framework. Organizational Research Methods, 4(2),
of online survey respondent data quality: Comparing a regular usa consumer panel to
144–192.
mturk samples. Journal of Business Research, 69(8), 3139–3148.
Fan, D. X. F., Hsu, C. H. C., & Lin, B. (2020). Tourists’ experiential value co-creation
Stewart, K. A., & Segars, A. H. (2002). An empirical examination of the concern for
through online social contacts: Customer-dominant logic perspective. Journal of
information privacy instrument. Information Systems Research, 13(1), 36–49.
Business Research, 108(January), 163–173.
Uncles, M. D., & Kwok, S. (2013). Designing research with in-built differentiated
Fried, C. (1968). Privacy. Yales Law Journal, 77, 475–493.
replication. Journal of Business Research, 66(9), 1398–1405.
Goldfarb, A., & Tucker, C. (2012). Shifts in privacy concerns. American Economic Review,
Wieringa, J., Kannan, P. K., Ma, X., Reutterer, T., Risselada, H., & Skiera, B. (2019). Data
102(3), 349–353.
analytics in a privacy-concerned world. Journal of Business Research, 122(January),
Hair, J. F., Howard, M. C., & Nitzl, C. (2020). Assessing measurement model quality in
915–925.
pls-sem using confirmatory composite analysis. Journal of Business Research, 109
Yeh, C. H., Wang, Y. S., Lin, S. J., Tseng, T. H., Lin, H. H., Shih, Y. W., & Lai, Y. H. (2018).
(March), 101–110.
What drives internet users’ willingness to provide personal information? Online
Hair, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2017). A Primer on Partial Least
Information Review, 42(6), 923–939.
Squares Structural Equation Modeling (PLS-SEM). London: Sage Publications.
Zhao, X., Lynch, J. G., & Chen, Q. (2010). Reconsidering Baron and Kenny: Myths and
Halpern, N., Budd, T., Suau-Sanchez, P., Bråthen, S., & Mwesiumo, D. (2020a).
truths about mediation analysis. Journal of Consumer Research, 37(2), 197–206.
Conceptualising airport digital maturity and dimensions of technological and
Zlatolas, L. N., Welzer, T., Heričko, M., & Hölbl, M. (2015). Privacy antecedents for SNS
organisational transformation. Journal of Airport Management, 14(4), 1–22.
self-disclosure: The case of Facebook. Computers in Human Behavior, 45(April),
Halpern, N., Budd, T., Suau-Sanchez, P., Bråthen, S., & Mwesiumo, D. (2020b). Survey on
158–167.
Passenger Preferences and Opinions Regarding Digital Technologies at Airports in Norway.
Oslo: Kristiania University College.
Halpern, N., Mwesiumo, D., Suau-Sanchez, P., Budd, T., & Bråthen, S. (2021a). Ready for Deodat Mwesiumo Deodat Mwesiumo is an Associate Professor in supply chain man­
digital transformation? The effect of organisational readiness, innovation, airport agement at Molde University College, Specialized University in Logistics, Norway. His
size and ownership on digital change at airports. Journal of Air Transport research activities focus on interorganisational relations in value chains and digital busi­
Management, 90, 101949. https://doi.org/10.1016/j.jairtraman.2020.101949. ness management. His work has appeared in internationally accredited scientific journals,
Halpern, N., Mwesiumo, D., Suau-Sanchez, P., Budd, T., & Bråthen, S. (2021b). including Technovation, Tourism Management, Journal of Travel Research and Journal of
Segmentation of passenger preferences for using digital technologies at airports. Purchasing & Supply Management.
Journal of Air Transport Management, 91(March), 1–13, 102005.
Hong, W., & Thong, J. Y. L. (2013). Internet privacy concerns: An integrated
Nigel Halpern Nigel Halpern is Professor of Air Transport and Tourism Management at
conceptualisation and four empirical studies. MIS Quarterly, 37(1), 275–298.
Kristiania University College, Norway. His main interests are in airport digital trans­
Hubbard, R., & Lindsay, R. M. (2013). From significant difference to significant
formation, airport marketing and strategy, airport service quality, geographies of air
sameness: Proposing a paradigm shift in business research. Journal of Business
transport and tourism, accessible tourism, wider impacts of air transport and tourism and
Research, 66(9), 1377–1388.
interorganisational relations in air transport and tourism. He has published extensively
Ioannou, A., Tussyadiah, I., & Lu, Y. (2020). Privacy concerns and disclosure of biometric
including a book on Airport Marketing (Routledge, 2013), and the Routledge Companion
and behavioral data for travel. International Journal of Information Management, 54
to Air Transport Management (Routledge, 2018).
(October), Article 102122.
Jozani, M., Ayaburi, E., Ko, M., & Choo, K.-K.-R. (2020). Privacy concerns and benefits of
engagement with social media-enabled apps: A privacy calculus perspective. Thomas Budd Thomas Budd is a Lecturer in Airport Planning and Management in the
Computers in Human Behavior, 107(June), Article 106260. Centre for Air Transport Management at Cranfield University, UK, and Course Director for
Kharouf, H., Biscaia, R., Garcia-Perez, A., & Hickman, E. (2020). Understanding online the MSc in Airport Planning and Management. His research and teaching activities focus
event experience: The importance of communication, engagement and interaction. on issues of air transport environmental sustainability and resilience planning, and how
Journal of Business Research, 121(December), 735–746. disruptive technologies can be leveraged to facilitate safe, seamless and sustainable
Krishen, A. S., Raschke, R. L., Close, A. G., & Kachroo, P. (2017). A power-responsibility journeys. His research in this area has been widely published in leading peer-reviewed
equilibrium framework for fairness: Understanding consumers’ implicit privacy academic journals and industry textbooks, including The Journal of Transport Geogra­
concerns for location-based services. Journal of Business Research, 73(April), 20–29. phy, Transportation Research: Part A and the Journal of Air Transport Management.

74
D. Mwesiumo et al. Journal of Business Research 136 (2021) 63–75

Pere Suau-Sanchez Pere Suau-Sanchez is a Senior Lecturer in Air Transport Management Svein Bråthen Svein Bråthen is Full Professor in Transport Economics at Molde University
at Cranfield University and Associate Professor at the Open University of Catalonia. His College, Specialized University in Logistics, Norway. His main research activities are
teaching activities are focused on strategy and digital transformation. His research and within Transport Economics including Economic Impact Assessment (EIA) of Transport
consultancy activities expand over a wide range of topics, including digital aviation, Infrastructure (Cost Benefit Analysis, CBA), Regional Economics and Air Transport Eco­
airport connectivity, route development, airport strategy, spatial planning around airports nomics. He has also worked with intermodal freight markets, logistics/supply chain
and aircraft noise annoyance. He has participated in research grants and has also led management and funding of transport investments and transport services. On several
aviation consultancy projects for a diverse range of international clients. He is a regular occasions, he has done work for the Organisation for Economic Co-operation and Devel­
contributor to international press, including the BBC, CNN, Forbes, La Vanguardia, opment/International Transport Forum on air transport issues. He has recently been
Expansión, among others. member of an expert group dealing with air transport and its economic and environmental
impacts, appointed by the Norwegian Government.

75