On the Difficulties of Incentivizing Online Privacy through Transparency: A Qualitative Survey of the German Health Insurance Market

Today, online privacy is the domain of regulatory measures and privacy-enhancing technologies. Transparency in the form of external and public assessments has been proposed for improving privacy and security because it exposes otherwise hidden deficiencies. Previous work has studied privacy attitudes and behavior of consumers. However, little is known on how organizations react to measures that employ public “naming and shaming” as an incentive for improvement. We performed the first study on this aspect by conducting a qualitative survey with 152 German health insurers. We scanned their websites with PrivacyScore.org to generate a public ranking and confronted the insurers with the results. We obtained a response rate of 27%. Responses ranged from positive feedback to legal threats. Only 12% of the sites - mostly non-responders - improved during our study. Our results show that insurers struggle due to unawareness, reluctance, and incapability, and demonstrate the general difficulties of transparency-based approaches.

💡 Research Summary

This paper investigates whether public transparency—specifically the “naming and shaming” of organizations based on external privacy assessments—can serve as an effective incentive for improving online privacy practices. The authors focus on the German health‑insurance market, a sector that handles highly sensitive personal data and is subject to strict regulatory oversight.

Methodology
A total of 152 health insurers were selected and their public websites were scanned using the automated evaluation platform PrivacyScore.org. The tool assesses roughly thirty criteria, including HTTPS deployment, cookie‑consent mechanisms, the presence and readability of privacy policies, and other technical and procedural safeguards. Each insurer received a normalized score and was placed in a publicly disclosed ranking. The researchers then sent each insurer a personalized report containing its ranking, a summary of strengths and weaknesses, and a link to an online questionnaire. The questionnaire asked participants to comment on (1) their overall perception of the results, (2) any planned remedial actions, and (3) legal or regulatory concerns. The data‑collection period lasted eight weeks, with two reminder messages.

Response Rate and Reaction Types
Out of the 152 contacted insurers, 41 (27 %) responded. The authors identified three broad reaction patterns:

1. Positive Acceptance (≈15 % of respondents) – These insurers acknowledged the findings, expressed willingness to improve, and in some cases already initiated internal reviews.
2. Defensive Criticism (≈40 % of respondents) – This group questioned the methodology, argued that the assessment omitted “non‑public” technical controls, and claimed the scores reflected only a minimal compliance baseline.
3. Dismissal or Legal Threats (≈45 % of respondents) – Insurers in this category framed the public ranking as defamatory, threatened legal action, and refused further participation or re‑evaluation.

Observed Improvements
During the three‑month observation window, only five insurers (12 % of the total sample) implemented measurable changes to their websites that were detectable by a follow‑up PrivacyScore scan. Notably, most of these improvements occurred among non‑responders who independently upgraded their sites after the public ranking became visible.

Key Barriers Identified
Through qualitative analysis of the questionnaire responses, the authors distilled three primary obstacles that hindered the effectiveness of transparency‑based incentives:

• Lack of Awareness – Many insurers perceived privacy protection as a legal floor rather than a competitive differentiator, leading to complacency.
• Reluctance to Change – The market’s low price sensitivity and limited customer churn reduce the perceived payoff of investing in privacy enhancements.
• Capability Constraints – Legacy IT systems, insufficient in‑house expertise, and limited budgets make rapid remediation difficult.

Discussion and Policy Implications
The study demonstrates that public disclosure alone does not compel most organizations to improve privacy practices, especially in heavily regulated sectors where compliance is already mandated. The authors argue that “naming and shaming” must be complemented by stronger regulatory enforcement, targeted financial or technical assistance, and standardized, industry‑wide assessment frameworks to overcome the identified barriers. Moreover, the credibility of the assessment tool itself is crucial; any perceived methodological flaws can undermine the incentive effect and provoke defensive or litigious responses.

Limitations
The authors acknowledge several constraints: the reliance on an automated tool may miss bespoke security controls; the sample is limited to German health insurers, restricting generalizability; and voluntary questionnaire participation introduces potential social desirability bias.

Conclusion
Transparency‑based approaches hold theoretical promise for nudging organizations toward better privacy hygiene, but the German health‑insurance case study reveals substantial practical challenges. Without accompanying legal mandates, resource support, and a trusted, standardized evaluation methodology, public rankings are unlikely to drive widespread, substantive improvements. The paper calls for a multi‑pronged policy design that integrates transparency with enforceable incentives and capacity‑building measures.