Online privacy literacy and users ’ information privacy empowerment: the case of GDPR in Europe

Purpose – Research on online user privacy shows that empirical evidence on how privacy literacy relates to users ’ information privacy empowerment is missing. To fill this gap, this paper investigated the respective influenceoftwoprimarydimensionsofonlineprivacyliteracy – namelydeclarativeandproceduralknowledge – on online users ’ information privacy empowerment. Design/methodology/approach – An empirical analysis is conducted using a dataset collected in Europe. This survey was conducted in 2019 among 27,524 representative respondents of the European population. Findings – The main results show that users ’ procedural knowledge is positively linked to users ’ privacy empowerment. The relationship between users ’ declarative knowledge and users ’ privacy empowerment is partially supported. While greater awareness about firms and organizations practices in terms of data collections and further uses conditions was found to be significantly associated with increased users ’ privacy empowerment, unpredictably, results revealed that the awareness about the GDPR and user ’ s privacy empowermentarenegativelyassociated.Theempiricalfindings revealalsothatgreateronlineprivacyliteracy is associated with heightened users ’ information privacy empowerment. Originality/value – While few advanced studies made systematic efforts to measure changes occurred on websites since the GDPR enforcement, it remains unclear, however, how individuals perceive, understand and apply the GDPR rights/guarantees and their likelihood to strengthen users ’ information privacy control. Therefore, this paper contributes empirically to understanding how online users ’ privacy literacy shaped by both users ’ declarative and procedural knowledge is likely to affect users ’ information privacy empowerment. The study empirically investigates the effectiveness of the GDPR in raising users ’ information privacy empowerment from user-based perspective. Results stress the importance of greater transparency of data tracking and processing decisions made by online businesses and services to strengthen users ’ control over information privacy. Study findings also put emphasis on the crucial need for more educational efforts to raise users ’ awareness about the GDPR rights/


Introduction
In today's digital environment, data-driven firms collect, store and process data about users at an escalating level, powered by emergent intrusive technologies such as AI, GPS, data mining software, IoT based devices and others (Emami-Naeini et al., 2017;Kortesniemi et al., 2019;Urban et al., 2019;Kumar, 2023).This data-sharing environment is likely to reveal extensive personal informationtracked and shared by third party business partnersthat could be used to identify a specific individual, buying patterns, financial and health records, etc. thus leading to privacy leakage among the involved parties in data flows (Conger et al., 2012;Prince, 2018;Kortesniemi et al., 2019;Kretschmer et al., 2021;Maier et al., 2023).For example, IoT and AI automated-based decision making have been widely deployed in support of tracking, collecting, and processing personal data of smartphone users and other devices to infer users' habits, behavior and for other commercial and marketing purposes, which emphasizes users' interest for control and protection of his own data.
Consequently, control over personal information is vital to address the threats of privacy invasive practices and ensure users' privacy (Gerlach et al., 2018;Hagendorff, 2018;Kretschmer et al., 2021).
Yet, web users have limited control over personal information management (Demmers et al., 2018;Masur, 2020;Bornschein et al., 2020;Prince, 2018;Ooijen and Vrabec, 2019;Sanchez-Rola et al., 2019;Kretschmer et al., 2021).For instance, a recent empirical study on 65 digital native users by Maier et al. (2023) revealed that many users reported feelings of powerlessness and lack of control in protecting their own data.This coincides with findings in other relevant literature (Hartman-Caverly and Chisholm, 2023;Hagendorff, 2018).
To ensure such control, the lately introduced European General Data protection regulation (GDPR) in 2018 is established to protect and empower UE citizen data privacy by regulating businesses handling and processing of personal data.This includes control rights in terms of access, storage, objecting receiving direct marketing, transmission and erasing of data, etc., while requiring an increased user responsibility in protecting their private information through an informed and express consent.In line with this, online privacy literacy (OPL) should be regarded as a vital factor in Internet users' assessment of potential risks of disclosing/sharing personal information (Masur et al., 2023;Masur, 2020;Hagendorff, 2018;Correia and Compeau, 2017).
Yet, evidence from prior research work showed that online users have no/little knowledge about the data companies and digital technologies track, collect, and store about them (Gordon, 2018;Demmers et al., 2018;Boerman et al., 2018;Urban et al., 2019;Moran, 2020;Luria, 2023;Hartman-Caverly and Chisholm, 2023;Kumar, 2023), nor the regulations and rights related to information privacy (Prince et al., 2023;Robinson and Zhu, 2020;Soumelidou and Tsohou, 2021;Kardos, 2021;Maier et al., 2023).Further, prior recent studies evidenced thatto dateno research has been found that surveyed the impact of GDPR on users' control over personal data flows with few exceptions (Ooijen and Vrabec, 2019;Bornschein et al., 2020;Kretschmer et al., 2021) though they stressed the need for such investigation.
Prior research highlights persisting privacy risks for online users since the GDPR went into effect.In a study that evaluates the influence of GDPR on Internet users in the context of web tracking, based on a manual analysis of 2000 popular websites across the world including EU located and non-EU hosted websites, results reveal that web tracking is still ITP 37,8 prevalent even after the GDPR enactment.A vast majority of websites perform web tracking before providing any notice to users (Sanchez-Rola et al., 2019).Likewise, based on a user study involving 470 participants on Amazon Mechanical Turk (Linden et al., 2018), showed that though there was a positive change in the attractiveness and simplification of EU privacy policies since the GDPR enforcement, many privacy policies still do not comply with several key provisions on data protection set by the GDPR.This finding coincides with results revealed by Kretschmer et al. (2021).In their recent study that analyzes the literature that assesses the implications of GDPR legislation on personal data processing on the web, in particular, about how cookies consent notices, privacy policies and fingerprinting were impacted by the GDPR enactment, their study showed that most of these policies still lack information required by the GDPR.Most importantly, they also revealed the lack of user control by making it impossible to opt-out of non-essential data processing, accessing, or deleting.The non-functional cookies, often set by third-party websites, lead to important privacy leakage due to the prevalence of third-party trackers.Thus, given the complexity of technology used to manage data obtained from multiple websites, user privacy threats persist after the GDPR enactment.In the same vein, in a study that measures the Impact of the GDPR on data sharing in Ad Networks, findings revealed that the amount of tracking among online advertising companies was not affected since the GDPR enforcement though, highlighting its crucial impact on users' privacy (Urban et al., 2020).
Thus, while these few advanced academic studies made systematic efforts to measure changes occurred on websites at the time the GDPR came into effect, it remains unclear, however, how individuals perceive, understand, and apply the GDPR rights/guarantees and their likelihood to strengthen users' information privacy control.Therefore, examining how privacy literacy affects users' information privacy empowerment has become a topic of common interest among scholars and practitioners (Ooijen and Vrabec, 2019;Bornschein et al., 2020;Livingstone et al., 2021).Yet, there is limited empirical evidence casting light on this relationship.In specific, our analysis of extant literature showed lack of research that incorporates both declarative and procedural knowledge dimensions of privacy literacy in a comprehensive model to examine their respective impact on perceived control over personal data privacy.Further, prior research on information privacy bears some limitations.Research work by Ooijen and Vrabec (2019) performed an analysis on the existing literature to understand how the GDPR principles can help maintain users' control over personal data.
Although their study provides important steps for understanding the effects of GDPR on information privacy, empirical evidence about the effects of GDPR on users' privacy empowerment from users' perspective is notably lacking.Furthermore, based on a field study about the GDPR practices, Bornschein et al. (2020) investigates how the visibility and choice offered via website cookie notifications are likely to impact consumer privacy power and risk perceptions.Despite its substantial contributions to understanding the effects of cookie notice and choice on consumers' perceived power, they limited the scope of the analysis of GDPR provisions to the notice and choice.
Nonetheless, the GDRP aims beyond providing users with "notice" about their personal information collection and use practices and "choice" about how their personal data may be processed.This regulation is also intended to consider more substantive limitations on data processing and broader restrictions/requirements such as the right to object receiving direct marketing, the right to correct, the right to be forgotten/data deletion, data portability or even the right to refuse algorithmic/AI-based automated decision making.It has been shown that effective privacy protection should avoid adopting a mere "notice" and "choice" systems.Instead, considering European-style protections, such as the right to erase data and the right to be forgotten is recommended (Massara et al., 2021).Accordingly, our study has a larger scope that considers those broader requirements.In particular, how users' knowledge and applications of those rights are likely to strengthen users' privacy empowerment (perceived control over personal data).
The paper's main contribution to the current academic debate is that while the effectiveness of the GDPR on users' information privacy empowerment has been addressed from a purely academic point of view (Ooijen and Vrabec, 2019), to the best of our knowledge, there has not been much empirical analysis on the topic from user-based perspective.To fill this gap, the present paper aims to understand the levels of privacy awareness and skills (OPL) among EU citizens and their influence on information privacy empowerment, by combining legal insights from the GDPR privacy rights/provisions with privacy protective actions/strategies.Hence, it takes a user-based approach, focusing on users' awareness/ knowledge and experiences with the GDPR privacy rights and skills related to data protection.
Our study contributes empirically to the emerging body of research on the role of privacy literacy on online users' information privacy perceived control, drawing upon a quantitativebased study by means of a large and representative sample of more than 27,000 respondents in 2019.The data aims to explore awareness of GDPR in particular, as well as more general opinions and behaviors relating to data sharing and data protection.An econometric model is performed to study the link between privacy perceived control and online privacy literacy.In a nutshell, the purpose of the current paper is to elaborate on the effects of the European GDPR and online users' privacy self-protection on their perceived control over personal data.
Based on a review of literature pertaining to online privacy (Xu et al., 2012;Trepte et al., 2015;Masur et al., 2017Masur et al., , 2023;;Weinberger et al., 2017;Boerman et al., 2018;Masur, 2020;Bornschein et al., 2020, Livingstone et al., 2021;Kumar, 2023;Hartman-Caverly and Chisholm, 2023), we make the following three contributions: First, examine how individuals' awareness and knowledge about privacy protective regulations and rights are likely to impact their perceived control over personal data flows.In particular, how effective is the General Data protection regulation (GDPR) in strengthening individuals' perceived control over personal data flows.Second, how much privacy protective actions/measures are likely to affect their perceived control over personal data flows.Third, how privacy literacy influences web users' perceived control over personal data flows.Thus, on a theoretical level, this study deepens our understanding of how the GDPR may influence users' privacy empowerment and offers an empirical link between the domains of user's privacy literacy and user privacy empowerment.Further, the current paper investigates jointly the effects of declarative and procedural knowledge on users' information privacy empowerment that warranted further exploration.
The remainder of the paper is structured as follows: Section 2 presents a review of relevant research work and outline the theoretical framework of our research paper; section 3 introduces data and research methodology; section 4 provides a summary of data analysis results and section 5 concludes with a discussion of research findings and presents theoretical and practical implication and direction for future research perspective.

Related work Online privacy literacy (OPL)
In the era of big data, advanced digital technologies, and the growing use of AI-automated decision making, privacy literacy has become fundamentally important, but people have little awareness about the GDPR data protection rights/guarantees, online tracking practices and skills related to data protection (Maier et al., 2023;Kardos, 2021;Desimpelaere et al., 2020;Urban et al., 2019).Privacy literacy has been recognized as an important factor in online data protection behavior (Sindermann et al., 2021).Hartman-Caverly and Chisholm (2023) emphasized the important role of privacy literacy in empowering one's self-awareness of his/ ITP 37,8 her own privacy to regulate information privacy online.Reviewing prior studies on online user privacy, however, has revealed that research in this area is at early stages (Ooijen and Vrabec, 2019;Bornschein et al., 2020;Pingo and Narayan, 2017;Livingstone et al., 2021;Masur et al., 2023;Kumar, 2023).
In an attempt to address the problem related to children privacy literacy online, a recent work by Livingstone et al. (2021) emphasized the important role of educating them better understanding, managing and preserving their privacy in an increasingly complex and "datafied" digital economy.Thus, they argue that it is not sufficient to gain functional skills/ coping strategies to manage their privacy setting but also need a deep knowledge and understanding of digital environments data tracking practices to develop a sense of empowerment.Further, their study contends that online environments are powered not only by "shared" data but also by implicit pervasive "inferred/profiling" data and "data tracking" technologies.Therefore, this underpins the crucial role of privacy literacy in managing users' privacy.
Furthermore, in an empirical study based on interviews combined with ethnography with university students, Pingo and Narayan (2017) examine participants' perceptions, awareness, and use of social media.Their study sparks the need to incorporate privacy literacy as a key dimension of information literacy.
While "knowledge" refers to users' awareness of websites and firms' practices in terms of personal data collection, knowledge about technical aspects of online privacy and data protection, and knowledge about privacy protective regulation and rights," skills" in its turn, designates users' privacy protective actions and measures.It is worth noting that while the former is referred to as "declarative knowledge", the latter is named "procedural knowledge".
In a study that investigates Facebook users' privacy awareness and online privacy attitudes and behaviors, Debatin et al. (2009) asserted that the concept of OPL involves: (1) an informed concern for one's privacyin that, users must be well-informed about the potential negative implications of SNS on their privacyand (2) effective strategies to protect it.Therefore, it is essential to acknowledge that both knowledge and skills are necessary to mitigate the negative consequences related with personal data sharing.Consistent with this evidence, Correia and Compeau (2017) also stressed the importance of privacy awareness (knowledge).They argue that users' privacy protective actions depend heavily on their awareness of the potential threats/consequences of sharing private information so he may be able to restrict their sharing correspondingly.Further, their study stated that awareness requires that user's "education" about regulations, companies practice in terms of personal data collection and understanding of technologies collecting and processing this data.In accordance with this assumption, Masur (2020) claimed that user awareness is key requisite in developing a sense of literacy and without the awareness of privacy intrusive practices/threats in the digital environment, procedural knowledge becomes useless.The author contends that online privacy literacy should provide users with knowledge and skills to protect their privacy against invasive practices by external influences, including authoritarian governments.In a nutshell, the author stressed the importance of both knowledge and skills as underlying dimensions of OPL to enable individuals to have control over their personal information.Thus, Masur (2020) argues that privacy literacy incites user to become an "agent".
Nonetheless, in a world of ubiquitous surveillance and wide-scale data collection, privacy intrusions and erosions are often invisible and difficult to control (Tavani and Moor, 2001;Demmers et al., 2018).For instance, machine and algorithmic automated decision making exacerbates and reduces greatly individual ability to claim control and agency.In this realm, Hagendorff (2018) confirmed that online privacy literacy contributes to empowering technology users to control personal data.He asserted that privacy literacy goes beyond merely changing privacy settings.Privacy literacy should also encompass users' awareness of back-end invisible data collections and awareness of the privacy loss by default setting.His work also revealed that technology users know little about user tracking practices (about explicit and implicit data practices).This coincides with findings made by a recent study by Desimpelaere et al., 2020).Based on in-depth interviews research design with 10 parents and 9 children, their study showed, that in the era of digital age, children lacked knowledge about both explicit and invisible online tracking practices.Their findings suggest that privacy literacy contributes substantially to enhancing users' understanding of companies' data practices and empowering them to protect personal data privacy.This is also reported by a recent work by Hartman-Caverly and Chisholm (2023) which suggests that robust privacy literacy instruction should uncover the backend implicit processes of personal data collection and manipulation.
Furthermore, in a study that investigates the effects of conceptual knowledge and procedural knowledge on users' self-efficacy in relation to phishing attacks, Arachchilage and Love (2014) put emphasis on user security "education" as technology alone can't address alone critical IT security issues.Their research focuses on the "human" aspect of performing security using a given protective measure.This measure does not necessarily have to be an IT anti-phishing tools; rather it could be behavior such as anti-phishing "education".
Survey-based research by Weinberger et al. (2017) that examines determining factors of OPL in a sample of 160 Israeli students, shows that users' information privacy concerns and users' self-efficacy as the most influential factors in understanding OPL.Their study claimed that OPL involves both "declarative" and "procedural" knowledge.However, their study falls short of its claims.It didn't account for online users' knowledge about privacy protective regulations and rights.Bornschein et al. (2020) examined the effects of notice visibility and choice in websites' information collection practices on consumers' privacy power.Despite its significant contributions to understanding how visibility and choice offered via website cookie notifications are likely to impact consumer perceived power over personal information, privacy literacy, was solely concerned with "front-end" features where users have the "consent" and "choice".However, this is likely to lead to overlook many of back-end implicit practices of personal data tracking and processing such as the automated decision making and inferred profiling (Hartman-Caverly and Chisholm, 2023;Kumar, 2023).The GDPR regulation is also intended to consider more substantive limitations on data processing and broader restrictions/requirements such as the right to refuse algorithmic-based automated decision making that we consider examining in our study.
In more recent research, Prince et al. (2023) conceptualized Internet users privacy concerns through declarative knowledge (awareness) and procedural knowledge (application).While this research provides several important insights, particularly in understanding how users' privacy literacy is likely to mitigate their concerns over personal data, their study bears some methodological issues in terms of OPL measurement.Their study lacks the measurement of declarative knowledge relating to firms' practices in terms of data collection, processing and storage.Further, as their study was based on data collected prior to the GDPR enforcement, they didn't account for how the stricter GDPR provisions introduced in 2018 may help addressing online users' privacy concerns.

ITP 37,8
Consistent with the preceding discussion, this paper suggests that online privacy literacy is formed by both cognition (awareness) and application (Behavior) needed to protect one's personal information: While awareness designates the amount of knowledge, the application refers to the amount of behavior (Dinev and Hart, 2006;Correia and Compeau, 2017;Pingo and Narayan, 2017;Wissinger, 2017).In summary, it implies users' knowledge about platforms data collection and uses practices, data protection regulations, and knowledge about techniques and strategies they can apply to protect their privacy (Masur et al., 2023).

User privacy empowerment
User privacy empowerment finds its origins in consumer empowerment and psychology literature (Van Dyke et al., 2007;Alshibly and Chiong, 2015;Hagendorff, 2018;Prince, 2018;Bornschein et al., 2020).This concept emphasizes the role of control over privacy.According to this premise, empowerment is related to control and is regarded as individual desire to control his environment.
The GDPR is established to enable users to exercise their control rights.In other terms, it is intended to provide data subjects with a "notice" (prior notification) about information collection and use practices.It stressed therefore the need for transparency regarding personal data collection and use.As well, it emphasizes the need for a clear informed indication of agreeing personal data processing (Regulation (EU) 2016/679).Accordingly, it seeks to give him the "choice" (consent seeking): individuals should be granted an option to express consent about data collection and processing (Ooijen and Vrabec, 2019;Bornschein et al., 2020).Similarly, Masur (2020) argued that data subject should have the right and the ability to decide for themselves when and to which extent information about himself should be collected, processed or disseminated/shared with others.This has been referred by the author as "self-determination". Hence, this concept acknowledges and emphasizes users' privacy self-agency.Likewise, Pingo and Narayan (2017), Hagendorff (2018) advanced that there is shift of responsibility from government towards users to exert control over their online privacy.
According to Tavani and Moor (2001), the concept of empowerment goes beyond restricting "access" to one's personal information.Individual should be able to control the dissemination of personal data.They stressed the role of control in privacy management, which is embodied by three major dimensions: consent, choice and correction.
Extending on prior research on individual's empowerment in research that investigates the effects of consumer privacy empowerment on privacy concerns in E-commerce, Van Dyke et al. (2007), provided a comprehensive understanding of user's privacy empowerment.Their study showed that users privacy concerns are related to their perceived control over personal data.The authors highlighted the underlying dimensions of such control: the "Notice", the "Choice" and the "Access".Following this rationale, individuals should have prior "notification" about personal data collection, use and sharing among the involved parties.The "choice" component designates the right to have an option of consent about data collection and use.The "access" refers to user ability to rectify, correct personal information about oneself, thereby allowing for a greater control against intrusive privacy practices.
Building on this, we suggest that the concept of user privacy empowerment embodies notions of "notice", "choice" (consent) and "access".It refers to individual perception of the extent to which he can control personal data dissemination and use.We apply this concept to refer to users' perceived control over personal data flows (Van Dyke et al., 2007;Midha, 2012;Bornschein et al., 2020).

Online privacy literacy and users' privacy empowerment
The GDPR principals suggest that data subject should be "notified" about firm's practices in terms of data collection (awareness).As previously mentioned, it also established a set of other guarantees/rights to ensure information privacy control.How the awareness about GDPR rights/provisions is likely to influence his perceived control over personal data?
Declarative knowledge is likely to influence users' perceived control over personal information.A range of relevant studies on user privacy empowerment suggest that users feel more powerful if they are aware or receive notice about firms and websites practices in terms of personal data collection, use and sharing (Dinev and Hart, 2006;Prince, 2018;Bornschein et al., 2020).This is also in line with research by Ooijen and Vrabec (2019) that argued that control requires knowledge/awareness about the consequences of negative risks associated with data sharing.Further, their study contended that control over personal information is tightly correlated with an express consent where individual may approve or object personal data gathering and processing.The same study stressed the informational complexity and individual's limited cognitive abilities in reading privacyrelated information that require specific expertise "literacy" in terms of understanding.In addition, their research argued that informing data subjects about the existence of automated decision-making may result in fostering the informational perceived control over personal data processing.This echoes also some findings revealed by other relevant research work (Hagendorff, 2018;Livingstone et al., 2021;Hartman-Caverly and Chisholm, 2023;Luria, 2023;Kumar, 2023).In a study the focuses on recommendation algorithms transparency (Luria, 2023), the author argues that users' often lack knowledge about how those algorithms work and what information they use, stressing therefore the important role of users' awareness in this regard to empower users with control over their information privacy.Further, Kumar (2023), argued that digital technologies such as sensors, IOT devices, algorithms are fueled by data derived from people and often used for prediction purposes.Still, users have little knowledge of what data is tracked and used by such technologies, emphasizing the impact of knowledge/awareness about digital data flows in enhancing users' control over information privacy.
The GDPR is believed to embody a state of user's empowerment in gaining greater control over their personal data (greater users' privacy empowerment) (Ooijen and Vrabec, 2019).A study by Kardos (2021) explores privacy literacy and personal data protection of law students.For this purpose, they conducted an online survey with 205 faculty law students in Hungary combined with in-depth interviews with 16 students.Their findings highlight the lack of knowledge among the surveyed students in relation to the identification of personal data.Moreover, results show that most study participants stated that they were unaware of GDPR data protection guarantees.Their findings suggest that privacy literacy should be improved to ensure higher levels of data protection.Likewise, Youn (2009) argued that users who are more knowledgeable about legislations and privacy rights tend to have a greater control over their personal data flows.Building on the above, we put the following hypothesis: H1. Declarative knowledge is positively associated with user' privacy empowerment.
Regarding the link between procedural knowledge (skills and actions) and perceived control over personal data, and more specifically reading privacy policy statements and using cookie management tools, we believe that individuals with higher procedural knowledge may perceive themselves as having greater control over their personal information (Park and Jang, 2014).Their research stressed the importance of individuals' management of their personal information tracking and claimed that users who don't know how to effectively manage their information tracking are more likely to undergo conspicuous privacy intrusions.In the same vein, in a survey about young adults' online privacy practices during job search, Hargittai and Litt (2013) showed that privacy skills (the "know how") relate to people likelihood to ITP 37,8 manage their privacy.Similarly, Boerman et al. (2018) claimed that privacy management is particularly important as legislation falls short in providing privacy protection.Li et al. (2011) asserted that the extent to which individuals are informed about website privacy policy statement assists in reassuring and empowering users for privacy preservation.This underpins the importance of procedural knowledge in ensuring users' control over personal data privacy.It is worth noting that Xu et al. (2012) distinguish between technological and non-technological privacy self-protection mechanisms.While the former comprises privacyenhancing technologies that allow control over personal data flows including anonymous web browsing, cookie management tools (privacy setting change), privacy enhancing features that enables limit personal data access, use, disclosure, etc.), the latter includes approaches such as reading privacy policy, complaining to third party organization or directly to the online company.Within the scope of our paper, we focus on investigating both approaches, specifically reading and understanding privacy policy and customizing cookie tracking and privacy policy banner by changing privacy settings.Hence, we hypothesize the following: H2. Procedural knowledge is positively associated with user' privacy empowerment.
In a survey-based study on 630 Facebook users by Bartsch and Dienlin (2016), findings revealed that users reporting higher online privacy literacy safety are believed to express higher perceived privacy safety.It is worth noting that perceived privacy safety embodied a state of control over physical, psychological or material harm.In support of this assumption, we believe that users expressing higher privacy literacy perceived greater control over personal data.Consistent with this result, in a study that investigates mobile-based privacy literacy among young adults, Park and Jang (2014) emphasized the important role of privacy literacythat is shaped by both knowledge and skillsin empowering users with sense of control over information privacy.Arachchilage and Love (2014) asserted that "procedural knowledge" is significantly close to the idea of "know how" and the declarative knowledge is "now that".Furthermore, he explained that such declarative knowledge allows us to explain why, hence the distinction of ''know how'' and ''know why''.In accordance with this premise, Prince et al. (2023) argued that the two dimensions of declarative and procedural knowledge are likely related by seldom associated, with their relationship being underexplored.Following this rationale, we propose that both procedural and declarative knowledge positively impact perceived control over personal data.Likewise, in an experimental study that examines users' information privacy concerns in the context of location-based services that draws upon control agency theory, Xu et al. (2012) claimed that there are two approaches to strengthen users' perceived control over personal data: (1) Self-agency via self-protection (self-protection approach) and (2) others proxy agency (proxy control).Self-agency designates personal control enhancing mechanisms.Accordingly, an individual acts as a control agent in protecting his/her information privacy, whereas other agencies refer to others that act as a control agent to protect individuals' privacy (such as governmental regulations).Their findings revealed that both agencies are likely to impact their privacy concerns.They argue that self-protective approach leads to feel greater autonomy and provides users with control over his personal data flows and therefore with a sense of self-agency, reducing the effects of proxy control via governmental regulations.On the other hand, it is postulated that government regulations set privacy protection rights that allow users to believe that companies will protect their disclosed data, conceding therefore personal control and allowing the regulations to protect their personal data on their behalf.The rationale behind this premise is that individuals tend to minimize the amount of cognitive effort pertaining to information processing and do not process information more than necessary.Hence, if one of the two agencies is sufficient to make risk-free judgments, the existence of other mechanisms may not matter.A widely agreed upon argument is that users with higher privacy literacy

Online privacy literacy
who have the knowledge and skills are more likely to perceive heightened information privacy control (Masur, 2020;Hagendorff, 2018;Prince et al., 2023).In line with this, Livingstone et al. (2021) study emphasized that online privacy literacy involves both users' knowledge and agency regarding their personal data flows online.In accordance with those premises, we examine the joint effect of declarative and procedural knowledge and its likely impact on users' perceived control.Hence, we assess the effect of declarative knowledge (Internet users' knowledge about privacy GDPR provisions and rights, knowledge about firms and websites practices in terms of personal data collection, knowledge about existence of public authority to report complaint of privacy violation) and the procedural knowledge (self-protective actions and strategies used by Internet users: In the scope of this paper, reading privacy policy statement and changing privacy settings) on users' privacy empowerment.Thus, we argue that online users' who report higher level of OPL also perceive increased control over information privacy.Thus, the above discussion leads us to hypothesize the following: H3. Online privacy literacy is positively associated with users' privacy empowerment.
Therefore, Figure 1 presents a conceptual model that illustrates the studied variables and their hypothesized interrelations in understanding users' information privacy empowerment.
The research model describes that users' privacy empowerment is determined by both "selfagency" procedural knowledge) and "others agency" (declarative knowledge) approaches.

Data and research methodology
The Justice and Consumers to explore users' awareness about the GDPR in particular, as well as more general opinions and behaviors relating to data sharing and data protection.In the Eurobarometer 487, we focused on Internet users.After data cleaning, we obtained a dataset of more than 15,000 observations that covered 29 EU countries.

Variables and measurement
Variables.The endogenous variable is the level of consumer empowerment.Respondents were asked about the level of control they have over the information provided online (e.g. the ability to correct, change or delete this information).
The variable takes the value 2 if the individual feels having a complete control over the information provided, 1 if he feels some control or depending on the website or application, and 0 if he feels no control at all.
The variable of interest is OPL.The two dimensions of OPL, namely "declarative knowledge" and "procedural knowledge" were derived from prior privacy studies (Masur et al., 2017;Trepte et al., 2015;Weinberger et al., 2017).
Other variables used as control variables were also linked to consumer empowerment, such as demographics (gender, age), job position, paying bills as a proxy for wages, living area and country.

Descriptive statistics
This study adopted items that estimate web user's knowledge about laws and regulations related to personal data protection and items that assess the self-protective actions adopted to protect privacy.Procedural privacy knowledge was measured using two items that referred to the actions taken by the individual that enabled him to enforce security and privacy in handling information privacy through (1) changing the privacy settings of the personal profile from the default settings (e.g. to delete browsing history or delete cookies) and (2) reading privacy statement.
Declarative knowledge was measured using items related to the awareness of users about (1) companies and organizations practices in terms of data collection and further uses conditions; (2) the GDPR; (3) the existence of a public authority to report complaint against privacy violations, and (4) the rights to: access the data, object to receiving direct marketing, correct data if it is wrong, to delete data and to be forgotten, have a say when decisions are automated, move data from one provider to another.
Other variables used as control variables were also linked to consumer empowerment, such as demographics, job position, living area, and wage.
The age of the individuals ranged from 15 to 98.The gender variable takes the value 1 if male and 0 if female.Job position is measured using the following variables: unemployed, selfemployed and employed.A set of mutually exclusive binary variables are used for "living area", which indicate whether the individual lives in a large town, a mid-sized town, or a rural area."Paying bills" is used as a proxy to measure the wage indicating in what extend the individual has difficulties in paying bills at the end of the month.
Table 1 gives the descriptive statistics.

Data analysis
Ordered logit regression analysis is one of the most used approaches for modelling consumer behavior (Guadagni and Little, 1983).This method is commonly employed for ordered outcomes in social sciences (Borooah, 2002).Therefore, we apply ordered logit regression as our outcome variable reflect an underlying ordering.Hence, we estimate the following model: Building on the literature review in the preceding section, user's privacy empowerment may be influenced by privacy knowledge and declarative knowledge and their joint effects.

Results
The results of the logistic regression estimation are reported in Table 2.Because we rely on cross-section data, we cannot account for endogeneity among the variables and the links between variables are correlational.To ensure the robustness of our results, we performed four model specifications, showing the results in blocks.
The first model gives results using only the items related procedural knowledge as exogenous variables.The second model adds declarative knowledge variables.In the third model, we introduce the demographics.In the fourth model, the "country" is incorporated.To account for the methodological issues related to multicollinearity effects between the "awareness about the GDPR" and the "awareness about the rights guaranteed by the GDPR", we performed a fifth model estimation.Hence, "awareness about the GDPR" is introduced without the "awareness about the different rights guaranteed by the GDPR".Empirical findings from these models show substantial robustness across the performed model specifications.
The results show, with respect to the variable of interest, procedural knowledge, a positive and significant (at 1%) link between procedural knowledge and user's privacy empowerment when looking at all the models.This means that there is a positive link between the level of perceived control users have over the information provided online on the one hand and changing the privacy settings from the default settings and reading privacy statements on the other hand.When looking at declarative knowledge, the link remains positive and significant at 1% for the items related to: data collection conditions, authority, the rights of data access, the right of a say.Thus, being informed about companies and organizations practices in terms of the conditions of data collection and further uses, being aware of the existing of a public authority responsible for protecting consumer rights regarding personal data, being aware about the right to access the data, being aware about the right to have a say when decisions are automated are found to have a positive link with users' level of perceived control over personal data.This link is negative and significant at 5% when looking at the awareness about the right to object to receiving direct marketing.
ITP 37,8 The sociodemographic results, with respect to Age, taking people aged between 15 and 24 as the reference category, the link is negative, meaning that older people feel having less empowerment about their privacy.Regarding the Job Position, this link is not significant.In addition, living in a large town, a mid-sized town, or a rural area has no significant link with individuals' empowerment.
We also controlled the Country.The results of the three models show that, compared to the reference country -Franceindividuals living in Italy, Luxembourg, Ireland, Greece, Portugal, Finland, Austria, Cyprus, Czech Republic, Estonia, Hungary, Lithuania, Malta, Poland, Slovakia, Slovenia, and Croatia have more privacy empowerment, whereas individuals living in Germany expressed less privacy empowerment.

Discussion
In what follows, we discuss our empirical findings in relation to prior research work to better elucidate the key contributions of this paper to the privacy literature.
First, the ordered logit regression estimation revealed that the positive link between users' procedural knowledge and users' privacy empowerment is supported (H1).Particularly, results suggest that reading privacy policy statements and changing privacy settings of personal profile from the default settings (e.g.deleting browsing history or deleting cookies) are positively associated with heightened information privacy empowerment.In summary, empirical findings show that users who are more likely to adopt self-protective approaches to reinforce personal data privacy are more likely to perceive greater control over personal data.This result is consistent with the work by Xu et al. (2012) that highlighted that both technological and non-technological privacy self-protection approaches may lead to higher perceived control over personal data flows.This result corroborates also premises made by other relevant work that suggest that privacy self-management skills are particularly important as legislations fall short in providing privacy protection (Hargittai and Litt, 2013;Li et al., 2011;Boerman et al., 2018).This supports the results of recent research by Livingstone et al. (2021) that underlines that some functional skills such as changing privacy setting, reading privacy policies and navigating through conditions, etc., are necessary to empower children over their privacy.
Second, empirical findings also lend a partial support to the relationship between users' declarative knowledge and users' privacy empowerment (H2).For example, users' information privacy empowerment is found to be positively associated with the following: "awareness about data collection and further uses conditions", "awareness about the existence of a public authority to report complaint", "awareness about the right to access data", "awareness about the right to have a say when decisions are automated", and the "awareness about the right to correct data".Conversely, users' privacy empowerment is found to be negatively associated with the following: the "awareness about the GDPR" and the "awareness about the right to object receiving direct marketing (e.g Email, text messaging, etc.)".In a survey that compares three consumer segments preferences relating to the privacy boundaries for the use of eight main information technologies, among others, direct marketing tools like spam, text messaging, online advertising, Milne and Bahl (2010) report that direct marketing relies often on "opt-out" mechanism to obtain permission to use consumers information.This format is hence likely to provide more names list than the "optin" format that requires a prior consumers' permission, resulting in less control over personal data.Accordingly, they suggest that opt-in option is seen as granting consumers more control over personal data as a better method to build consumers' trust.As aforementionedunpredictablycontrast to the assumption that awareness about the GDPR is likely to empower individuals with greater perceived control over their personal data, our results indicate that the awareness about the GDPR and user's empowerment are negatively associated.This result stands in direct contrast to other prior research (Youn, 2009;Tang et al., 2008;Xu et al., 2012) which reported that privacy protection ensured by governmental regulations makes individuals believe that companies will protect their personal data flows, leading to a greater perceived control over their personal data.Another plausible explanation for this negative link that despite regulatory efforts to enhance consumer control over personal data, users are still misinformed about the regulations intended to regulate personal data access, processing and uses (Maier et al., 2023;Kardos, 2021;Soumelidou and Tsohou, 2021).Nonetheless, this result should be interpreted with caution.In other terms, this negative link is attributable to methodological issues related to multicollinearity effects between the "awareness about the GDPR" and the awareness about the rights guaranteed by the GDPR".Note that when the item "awareness about the GDPR" was introduced alone, its effect was not statistically significant (Cf.model specification 5).This finding corroborates Bornschein et al. (2020) premise that asserts that experience with privacy regulation doesn't ensure alone privacy control.
Further, our empirical findings reveal that higher levels of awareness about firms and organizations practices in terms of data collections and further uses conditions are shown to be significantly associated with heightened users' privacy empowerment.This is consistent with other relevant recent research work by Luria (2023), Kumar, 2023;Maier et al., (2023) that stressed the role of knowledge/awareness about digital data flows in enhancing users' control over information privacy.This finding finds also echoes in the OECD work (2013), which reports that ensuring "transparency" pertaining to personal data collection, handling, and purposes so that individuals are aware of such conditions is regarded as essential mechanism that ensures a greater control over personal data.This also mirrors findings of other prior research (Hartman-Caverly and Chisholm, 2023) that argue that the back-end implicit practices of personal data tracking and processing (such as automated decision making, inferred profiling, etc.) are often overlooked by users, resulting in loss of control over information privacy.
In addition, empirical evidence shows that users' privacy empowerment is not correlated with the following: "awareness about the right to delete data" and "awareness about the right to move data from one provider to another".A plausible explanation for a lack of significant support for this relationship might be explained by Ooijen and Vrabec (2019) work that stated that the right to data erasure should result in users' control over the scope of personal data flows.However, because of data intangibility and spread throughout the online environment, this control tends rather to lessen.Further, they claim that the right to data erasure is not an obligation when requiring a substantial effort.Furthermore, in terms of the link between perceived control and the awareness about data portability from one provider to another, the researchers asserted that because of industry monopolization, individual's control over personal data is endangered.This is as well reported by Tavani and Moor (2001).This is also in accordance with Kranenborg (2016) that advances that individuals seem simply to have no choice.
Finally, in line with the empirical results of the regression estimation, evidence revealed that user's online privacy literacy (declarative and procedural knowledge) is likely to be significantly associated with user's privacy empowerment (H3), except for the awareness and exercising the right to object receiving direct marketing, the awareness and exercising the right to delete personal data (the right to be forgotten), and the awareness about the GDPR (Cf.model specification number 4).This finding implies that despite the recent regulatory efforts to protect privacy and empower online users over personal data flows, their personal data is still jeopardized (Bornschein et al., 2020, Ooijen andVrabec, 2019).For example, the research study by Sanchez-Rola et al. (2019) that aimed to understand the influence of the GDPR on online users' privacy showed the ineffectiveness of data deleting/opting-out and that withdrawing consent is a mere illusion.Users' privacy empowerment should be acknowledged as a dimension of the right to data protection (Kranenborg, 2016); that is ITP 37,8 any potential harm, whether tangible or intangible, caused by the absence of personal data protection can be mitigated by individuals' control over personal data.On the other hand, control over personal data is vital not only in terms of managing the negative consequences of data privacy threats but also to enable managing their "own" data and capitalizing on the opportunity to trade this valuable asset in the emerging market of personal data.It is believed that individuals' need for control over personal data stems essentially from the opportunity of having monetary or non-monetary compensation from data disclosure (Prince, 2018).

Conclusion, implications, limitations and future research
The main purpose of this paper is to understand the levels of OPL among EU citizens and its likely impact in strengthening online users' information privacy empowerment.Hence, the notion of OPL describes online users' information privacy awareness and skills regarding privacy protection.Reviewing recent research work related to online user privacy has revealed that empirical evidence on how privacy literacy relates to users' privacy empowerment is particularly missing.Current efforts in online privacy literature have been made to measure changes occurred on websites since the GDPR enforcement and a few other advanced studies made systematic efforts to examine levels of online privacy knowledge and skills (Ooijen and Vrabec, 2019;Bornschein et al., 2020;Livingstone et al., 2021;Kretschmer et al., 2021;Kardos, 2021;Kumar, 2023).Yet, in most studies, little has been done to empirically assess the effect of OPL on users' information privacy empowerment, while it is crucial to understand online users' awareness about the GDPR rights/provisions and skills related to data protection and how they are likely to enhance their control over personal data, in an increasingly data-driven digital ecosystem.In summary, the lack of studies examining the effects of online privacy literacy, more particularly, the influence of awareness about GDPR provisions/rights on users' information privacy empowerment from users' perspective has been reported.
To fill this gap, this paper extends this line of the literature by empirically investigating the respective influence of two primary dimensions of online privacy literacynamely declarative and procedural knowledgeon online users' information privacy empowerment.Specifically, we examine how users' awareness about GDPR regulation and privacy rights guaranteed by the GDPR, awareness about firms and institutions practices in terms of data collection and further uses, awareness about the existence of a public authority to report complaint against privacy violations, and the actions taken by individuals to enable them enforcing security and handling information privacy through changing the privacy settings of their personal profile from the default settings and reading privacy policy statement, are likely to enhance users' perceived control over personal data.
Our empirical results suggest that higher levels of procedural knowledge are associated with increased perceived control over personal data.From a managerial point of view, a broad implication of this finding for practitioners and E-businesses stresses the need for empowering users with greater control over their personal data through adequate privacy protecting tools to ensure more confidential transactions by placing much emphasis on cookies banners visibility (Kagan and Bekkerman, 2018;Boerman et al., 2018;Bornschein et al., 2020;Suh and Han, 2003).Another implication of this result is that individuals' empowerment over information privacy is often associated with a greater intention to share personal data (Prince, 2018;Kim and Kim, 2020), which is believed to be the fuel of data-driven economies and businesses that rely heavily on personal data disclosure.Hence, enhancing users' empowerment over personal information is likely to play a major role in raising users' level of personal data sharing.Furthermore, in view of our empirical results, greater awareness about firms and organizations practices in terms of data collections and further uses conditions was found to be significantly associated with increased users' privacy empowerment.This stresses the importance of greater transparency of data tracking and processing decisions made by online businesses and services to help raise users' awareness about what type of data is monitored, used and shared and therefore providing a sense of control over their information privacy.Moreover, empirical evidence of the econometric analysis has revealed that users reporting higher levels of privacy literacy expressed higher perceived control over their personal data.From policy perspective, this finding recommends that a greater emphasis should be placed on educational and training efforts and robust privacy literacy instruction to improve users' awareness around the GDPR privacy rights and to build a sense of selfawareness about the implicit processes of data gathering and processing to enhance users' empowerment over information privacy (Hartman-Caverly and Chisholm, 2023;Maier et al., 2023;Kumar, 2023;Prince et al., 2023).
This study has some limitations that must be acknowledged for future research.Empirical evidence of this study shows a negative relationship between the awareness about GDPR and user's empowerment.This bears some methodological issues related to multicollinearity effects between the "awareness about the GDPR" and the "awareness about the rights guaranteed by the GDPR".Hence, to enhance the relevance of findings, we accounted for this problem in a further model estimation (Cf.model specification number 5).In addition, this research investigated the link between OPL and users' privacy empowerment using a cross-sectional survey-based research design, that does not help studying causal effects.To provide better insights regarding this link, future research needs to carry out an experimental study design to study such effects.Finally, this study is based on self-reported responses.Privacy research, however, highlights that self-assessed survey-based design is not the most relevant to assess users' privacy literacy because of social desirability and cognitive biases (Prince et al., 2023;Ma and Chen, 2023).As a result, a particular caution is warranted when interpreting the results of this paper.Therefore, in future studies, an experimental research design is warranted to better assess the relevance of our research findings.Further, our study restricts the analysis of the effects of OPL on users' empowerment over personal information privacy to the population of EU citizens, which is likely to pose generalizability problems.This stresses the need to extend this work to a broader population of non-European countries while considering Internet users' awareness of regulations and policies related to personal information privacy when studying the online privacy literacy.