We use different social media platforms and click “agree” every day. We accept TikTok’s updated privacy policy, agree to cookie terms on websites, and allow apps to access our photo albums. This can make users feel like they have choices and control over their privacy. It seems like privacy problems only happen when users are not careful enough. But that is not true. Clicking “agree” is often more like a cover used by platforms to hide how little they actually do to protect user privacy. In fact, most users do not really have control. They usually cannot clearly understand how their information moves, who can access it, or what it will be used for. And if they click “reject,” they may not even be allowed to access the platform. In many cases, users do not really have a free choice because they are always pushed into clicking “agree.” Therefore, privacy should not be seen as only a matter of whether an individual made the “right choice.” It should be understood as a bigger governance issue about platform power and digital rights.
Case: Meta’s $50m reckoning – the OAIC gets tough on privacy https://www.minterellison.com/articles/metas-50m-reckoning-the-oaic-gets-tough-on-privacy
Facebook was accused of exposing the personal data of millions of users around the world, including more than 300,000 people in Australia.The case started with a third-party app called This Is Your Digital Life, which was created by a Cambridge University professor. The app used Facebook’s Graph API to collect data from the people who installed it and also from their Facebook friends. The data was then shared with the British data company Cambridge Analytica. This went against Facebook’s own Terms of Service. Cambridge Analytica said it used the data from Facebook users to run political ads during the 2016 U.S. presidential election. Then an investigation by the Office of the Australian Information Commissioner found that only 53 Facebook users in Australia had installed the app, but about 300,000 Australian users were affected. In the end, Meta agreed to pay a fine of 50 million Australian dollars to the OAIC. But Meta made this agreement without admitting legal responsibility and without giving up its right to defend itself. This case shows that the problem was not only about one person’s data being misused. A click could also affect the data of their friends.
The main problem is that personal data did not stay where users thought it would stay. Once information could move from a social platform to third parties and then into political use, the problem stopped being just about personal choice. It became a problem about information flows: where information goes, who gets it, and whether that movement fits the context in which the information was first shared (Nissenbaum,2018).
Why Clicking “Agree” Does Not Mean Real Privacy Control
The fact that users click “Agree” does not mean they really control their privacy. This is because privacy is not only about whether a person controls their own information. We often think a privacy breach happens when someone loses control over personal data. But the real issue is not just “Can I decide whether my information is shared?” It is also “Is it right for this information to move in this way?” In the Facebook case, user data moved into a political context. This is not an appropriate context for that information to appear in. So, the key problem is not only whether someone clicked consent, but also whether the information flow broke the rules that should exist in that social context. This information norm can be understood through three parts: the actors involved, the type of information, and the way the information is transmitted (Nissenbaum,2018). In this case, the actors included users, their friends, Facebook, third-party platforms, and data analysts. At the same time, different kinds of information have different levels of sensitivity, which makes them fit with different contexts. Information moves with limits in different backgrounds. When users downloaded the app and gave permission, they only agreed to the use of their information in that original social context. They did not know that their data could later be used in a political context. This changed the original purpose for users sharing their information and made it away from what they first believed they had consented to. Also, how users control their information is only one small part of how information moves. Privacy problems will not disappear just because someone clicked “Agree.” Users do not usually pay attention to whether the permission is for single use, and platforms usually only ask for authorization once. It means that the platform may transfer or sell this data in the future. So, when information leaves its original context and moves into new commercial, political, or institutional uses, it can still cause privacy harm even if the platform says the user gave consent. This is because platform consent does not automatically mean that the information flow is fair or legitimate (Nissenbaum,2018).
Platform Power and the Limits of User Consent
It is the platform that really controls the data, but not the users. In this case, Facebook set the rules for how third-party apps could access and collect user data. Once users clicked “Agree,” they did not truly control where their data went. They simply entered a data system that Facebook had already designed, and that system mainly served the platform’s business interests. So, this case is not just a personal privacy failure, but a problem of platform governance and digital rights. Platform rules work like a basic consumer deal. Users accept the terms in exchange for access to the service. This is a relationship between a company and a consumer, not between a government and a citizen (Suzor,2019). In other words, users as consumers must accept the established rules made by the platform. So, even though the case seems to be about some users choosing to install an app, the deeper issue is that Facebook had already defined that choice as consumer consent. From the start, this consent was not designed as a real way for users to share control. It was mainly a condition for using the platform. This also shows that clicking “Agree” is mostly a form of contract acceptance, not a form of real participation. Therefore, it is the platform that has real power over data governance. Large platforms always write their terms of service to protect business interests, not to create equal rights for users. And here, Facebook failed to properly monitor third-party apps, and its rules on third-party data sharing were weak as well. It put users’ privacy at risk and ultimately violated it. That is because Facebook focused more on the value this third-party app could bring to its own ecosystem. So, it opened the door to third-party access and allowed them to use data more widely. In the end, Facebook, as the platform, held the real power. It decided what data apps could access, including the data of users’ friends.
In many cases, users keep using a platform because it has become part of their daily lives, and the cost of leaving is too high. Even when users do not agree with the platform’s terms or are unhappy with some of its features, they still choose to keep using the app. For example, many people find it hard to give up WeChat because it includes so many daily functions, such as messaging, entertainment, payments, and transport. So even when the app may raise privacy concerns, users still stay. On the surface, users seem to have choices. They can click “Agree” or not. They can leave the platform or change their privacy settings. But in real life, platform use does not work so simply. People are actually aware that their privacy is not fully protected when they use the platform, but they continue to use it anyway. These platforms are tied to their social relationships, education, work, and daily routines. As WeChat shows, a platform can have a special and powerful influence (Chen,2018). Users often have no choice but to accept the privacy rules set by these platforms because they depend on them so much that leaving is very difficult. So, when users click “Agree,” they are not really in control. It is just an act of following the rules. Therefore, users who download third-party Facebook apps may do so because they depend on Facebook to meet their social needs. This does not mean they are unaware of the possible privacy risks. It simply means that their need to stay connected is stronger than their ability to avoid those risks. This can be seen as a privacy paradox. On one hand, users care about privacy. But on the other hand, they still share information and keep using the platform, and they may accept some privacy loss in exchange for social benefits (Chen,2018). Facebook is not just a normal product that people can easily leave. For many users, it has become a form of social infrastructure. So, platforms are the main actors in digital governance, and they should take the main responsibility for protecting privacy.
Privacy, Digital Rights, and the Need for Government Intervention
The case I mentioned is not just a failure of user privacy management. It is a problem of digital rights and governance. The platform controlled how information moved and who could take part through its technical system, business model, and rule design. Also, Facebook only moved to stop this incident after the OAIC investigation and the A$50 million fine. This change came from government action, not from users’ own efforts. So, in some cases, government intervention is necessary to protect digital rights. Digital governance needs stronger oversight from higher-level authorities. Today, digital technology has become a key part of how people exercise their rights and take part in social life. It has also created more specific rights, such as data protection. Because of this, digital rights are not only about freedom. They are also about whether people can use the digital world in a fair and safe way (Karppinen,2017). In this case, the information flow was decided by Facebook: the rules for third-party access and the system for allowing access to friends’ data. The platform had the power to stop this, but it failed to do so. That is exactly why digital rights matter. Platforms are not neutral, and the digital order they build is not neutral either. These systems are designed to serve platform interests. Users are actually vulnerable groups because they have little power to defend their own rights. It is not enough to truly protect user privacy by simply telling them to be more careful. In the digital world, powerful platforms can shape the way people take part online by undermining privacy. Because of this, government intervention is necessary. Governments should strengthen oversight of these platforms and create stricter rules to limit the concentration of digital power and reduce commercial surveillance (Karppinen,2017). In this way, privacy can be protected as a basic right for users. The OAIC’s investigation and its demand that Meta pay A$50 million clearly show this point.
In conclusion, when users click “Agree,” it does not mean they really control their privacy. Users give platforms access to their data, but they cannot control where that data goes next, and they also do not know what other purposes it will be used for. Large digital platforms like Meta often make users feel that they are in control of their own data. But in fact, the rules and default settings are decided by the platforms. People’s participation in digital life depends on these platforms and is also limited by the platforms’ terms and technical design. Because of this, privacy problems are not mainly caused by individuals making wrong choices. It is how digital power is controlled and governed. So, protecting users’ online privacy requires government action that regulates platforms and creates stricter rules for how they operate.
Be the first to comment