To be honest, when was the last time you actually read the “Privacy Policy”?

In contemporary digital life, “I agree and accept all” has become one of the most common but also easily overlooked click behaviors. Whether browsing web pages, downloading apps, or using social media, users are repeatedly asked to click on “I Agree”.

When you open a website, and a pop-up immediately appears:“We value your privacy”. The interface usually presents two options: a large, brightly coloured button that says “Accept All”, and a small gray link tucked away in the corner labeled “Manage Settings”.

Your thumb is already moving toward the screen, it’s not because you don’t care about your privacy, but because you don’t have the time to pay attention to these small details. Under the pressure of time and the simple desire to use the service, most people click the first option without hesitation. Maybe you just want to read an article, buy something, or scroll through videos. But almost every platform requires you to agree to its terms of service before you can proceed.

This is the strange paradox of privacy in the digital age. We are told more frequently than ever that we have the right to choose, but we are also more difficult than ever to make a real choice. From cookie pop ups to confirmation of terms during application installation, to privacy settings on social media, every step in the digital space requires consent for everything, but are these consents truly built on knowledge and voluntariness?

As Terry Flew (2018) argues, digital platforms have become part of the infrastructure of everyday life, deeply embedded in users’ lives through data collection, algorithmic ranking, and platform-based business models. Platforms are not merely technological tools; rather, they function as systems of power shaped by data, algorithms, and governance structures. Within this system, choice itself is often designed, guided, and even constrained (van Dijck et al., 2018, as cited in Flew, 2021). In other words, privacy is not something users genuinely control, but something that has been constructed as a “seemingly available” choice.

The First Click: When “Accept All” Becomes the Only Real Option

Let’s go back to that pop-up window. Have you noticed its design?

On the surface, you have the options “Accept all” and “Reject cookies”, but in reality, most users will simply click “Accept All”.

The problem is that this choice isn’t neutral in itself.

The “Accept All” button is usually brightly colored, in large font, and placed in the most prominent spot, while “Reject cookies” is gray, in small font, and hidden under secondary links or even within multi-level menus.

What’s even more sneaky is that there’s no “Reject All” button at all. Want to decline? You have to click through each one individually and turn them off one by one.

This kind of design is known as “dark patterns”, referring to interface strategies that use page layout and structure to guide users toward actions preferred by the designer. Complex categories, lengthy explanations, and endlessly nested options make it almost impossible to truly understand and refuse.

From the perspective of platform logic, this design is not accidental but part of the business model. As Srnicek (2017, as cited in Flew, 2021) argues, platforms rely on data-driven growth, and cookies are one of the key infrastructures for capturing user behavioral data.

When consent is shaped by interface design, can it still be considered genuine consent? Alice Marwick and Danah Boyd (2018) argue that most people exist in a state of “data-by-circumstance”, where data collection is not an active choice but a byproduct of participating in digital life. To use navigation services, you must agree to location tracking; to download an app, you must accept a full set of permissions. We are simply going about our everyday lives, yet each ordinary action is being recorded, categorized, and priced. Consent is no longer a truly informed choice. Users appear to be granting permission, but in reality, they are merely entering a system of continuous data extraction.

Why Does the Platform Know You Better Than You Know Yourself?

If cookie pop ups are just an entrance, then recommendation systems on platforms like TikTok are a continuous process of data collection.

Many users will have an intuitive feeling: “How does this app understand me so well?” Just talked to a friend about a certain topic, or just stayed on a video for a few more seconds, and then the page was filled with related content.

TikTok doesn’t need you to tell it what you like, it just needs you to use it normally.

Every swipe, every pause, every like and share will be recorded and archived.

Individually, each piece of data may seem insignificant, but when pieced together, they form the outline of your interests. The platform constructs user profiles by continuously collecting user behavior data and uses it to determine what content you see.

But the key issue is that this process does not occur with the explicit knowledge and consent of the user, but is embedded in daily use and naturalized as a part of the normal experience.

The question is, do users really know what data they are providing?

Shoshana Zuboff (2019, as cited in Flew, 2021) describes this phenomenon as “surveillance capitalism”, in which platforms continuously track user behavior and transform everyday activities into data that can be predicted and monetized. These data are not actively provided by users; rather, they are automatically extracted through the very process of using the platform.

This passive data generation makes it difficult for users to truly understand how their information is collected and used, and also weakens the meaning of “consent”. Although users formally agree to the platform’s terms of use, in practice, they are unable to understand how data is collected or effectively control its subsequent use.

Everything we do on the platform has become a data product related to us, and when all of this happens, we are actually just scrolling through videos. Every swipe becomes a row of records in the database, a price tag in the hands of an advertiser.

Therefore, rather than saying that the platform is “understanding users”, it is more accurate to say that the platform is continuously shaping users. TikTok’s understanding of you is not a technological miracle, but a privacy vulnerability. In this process, users’ control over their own data is constantly weakened and the so-called privacy choice has gradually evolved into an imperceptible false choice.

The Terms You Can’t Refuse

One of the most obscure and confusing aspects of making choices is the terms of service.

When you download a new piece of software, a page pops up filled with dense legal jargon and endless, specific clauses.

Almost every platform requires users to agree to the terms before using the service, but the terms are so lengthy and complex that few people actually read them all the way through. Yet if you don’t agree, you can’t use the service. In this situation, can “consent” really be considered voluntary?

Suzor (2019) argues that platforms’ terms of service are not merely legal documents but forms of governance that set the rules of digital public space, without granting users meaningful power. Under these conditions, if users do not agree to the terms, their only real option is to leave.

In 2009, Mark Zuckerberg publicly promised that Facebook users would be able to vote on changes to the privacy policy. He believed that the terms of service were a governing document that needed to reflect users’ values.

But Facebook has only set the voting threshold at 30% of all active users, which is almost impossible to achieve on a platform with billions of users. In 2012, when this vote was actually held, 88% of people opposed the amendment, but the number of voters was less than 1%. Ultimately, this mechanism did not truly change the platform’s decision-making approach. Subsequently, Facebook quietly withdrew this democratic experiment, and the authorship of the blog post was also modified, attributing it to a “former employee”. The result is that the impact of users on platform rules is still very limited, and even if the platform occasionally pretends to give you rights, it can revoke them at any time.

Legally speaking, the relationship between users and the platform is not akin to that between citizens and the state, but rather resembles the relationship between consumers and businesses. This also means that users’ rights on the platform are largely determined by the platform itself.

As Alice Marwick and Danah Boyd (2018) argue, a core insight is that the ability to maintain privacy is largely shaped by privilege. Those with greater resources and social capital may be able to seek out alternatives, but for most users, refusing consent simply means being unable to use the service.

Therefore, Terms&Conditions is not a simple legal agreement, but a structural unequal arrangement.

Users must accept the rules in order to enter the system, and the rules themselves are entirely determined by the platform. In this case, “agreement” is more like a forced choice rather than a free decision.

The Regulators Are Moving. But Is Change Coming?

Here’s something you might not know: Australian regulators have started paying attention to these very problems.

In its 2025-26 enforcement priorities, the Office of the Australian Information Commissioner explicitly named “dark patterns” as a target. The OAIC is now scrutinizing confusing “reject all” options and interfaces designed to nudge users into sharing more data than intended. AdTech tracking technologies and consent design are also firmly in their sights.

Then, in January 2026, the OAIC launched its first-ever privacy compliance sweep—a targeted review of the privacy policies of approximately 60 organizations across six sectors. According to the Privacy Commissioner, consumers are facing “power and information asymmetries”, as well as a “lack of choice and control” over their own personal information. Under privacy reforms passed in late 2024, the OAIC can now issue infringement notices of up to $330,000 for non-compliance.

Meanwhile, the Australian Competition and Consumer Commission’s Digital Platform Services Inquiry released its final report in June 2025. Its conclusion was blunt: consumers continue to face “manipulative design practices” in digital markets, and Australia’s current laws “cannot adequately address” the harms caused by large digital platforms. The ACCC’s consumer survey found that 72% of Australians have encountered potentially unfair practices when shopping online, and 82% support the establishment of a specialized independent external dispute resolution body for digital platform services.

So yes, the regulators are finally moving.

But here’s the harder question: how do you fight an industry that has spent decades perfecting the art of making you click “Agree”?

Conclusion

Digital platforms transform privacy choices into a designed process through a series of seemingly decentralized mechanisms.

From the quick agreement in cookie pop ups to the continuous accumulation of data on the platform, to the usage threshold built by Terms&Conditions, users are always placed in an environment that is difficult to truly refuse.

The so-called privacy choice is largely an institutionalized illusion.

Users do not truly control their own data; instead, they are guided along a path designed by the platform to make decisions that appear to be voluntary.

As Terry Flew (2018) argues in his discussion of platform regulation, the era of platform self-regulation is coming to an end. However, this shift will not happen automatically; it requires sustained public attention as well as pressure at the policy level. In this sense, awareness at the individual level is a necessary precondition for generating that broader pressure.

If individuals are no longer able to effectively protect their privacy through “personal choice”, can a governance model based on “consent” still be established?

Relying solely on platforms to regulate themselves is no longer sufficient to address the issues of data abuse and power imbalances. The real question is not whether you clicked “Agree”, but whether you ever had the option to refuse. We need to establish governance mechanisms that are more binding and transparent; recognizing this is the first step toward reclaiming our right to choose.

References

ACCC. (2025, June 23). Regulatory reform in digital platform markets is needed to improve competition and consumer outcomes. Australian Competition and Consumer Commission. https://www.accc.gov.au/media-release/regulatory-reform-in-digital-platform-markets-is-needed-to-improve-competition-and-consumer-outcomes

Brignull, H. (2010). Deceptive Patterns. https://www.deceptive.design

Flew, T. (2018). Platforms on trial. InterMedia, 46(2), 24–29. https://eprints.qut.edu.au/120461/

Flew, T. (2021). Regulating Platforms (pp. 72–79). Polity Press.

Landers, & Rogers. (2026, February). Australian Privacy Law Update – What APP entities need to know in 2026. https://www.landers.com.au/legal-insights-news/australian-privacy-law-update-what-app-entities-need-to-know-in-2026

Marwick, A. E., & Boyd, D. (2018). Understanding Privacy at the Margins: Introduction. International Journal of Communication, 1157–1165.

OAIC. (2025, July 29). OAIC releases regulatory action priorities for 2025-26. OAIC. https://www.oaic.gov.au/news/media-centre/oaic-releases-regulatory-action-priorities-for-2025-26

Suzor, N. P. (2019). Lawless: The Secret Rules That Govern Our Digital Lives. 10–24. Cambridge University Press. https://doi.org/10.1017/9781108666428