Every day, digital platforms ask us to make what looks like a simple decision. We are told to click “Accept,” “Agree,” or “Continue” before using an app, creating an account, or updating a service. These small prompts seem to represent something important: our freedom to choose what happens to our personal data. Platforms present this as evidence that users are informed, autonomous, and in control. If we clicked the button, then we must have agreed. In reality, most people do not read privacy policies closely, do not understand how their data will circulate across multiple systems, and often cannot realistically refuse without giving up access to services that have become central to everyday life. The issue, then, is not whether users clicked “yes.” The issue is whether that click can honestly be called meaningful consent.
Privacy “choice” on digital platforms is often more symbolic than real. Platforms frame privacy as an individual responsibility, suggesting that users can protect themselves if they read the terms, adjust their settings, and make smart decisions. Yet this framing hides a profound imbalance of power. Users face long and technical policies, default tracking, fragmented settings, opaque data-sharing arrangements, and business models built around profiling and targeted advertising. In that environment, consent becomes less a genuine expression of autonomy than a ritual that legitimises data extraction. As Daniel Solove argues, privacy self-management places unrealistic burdens on individuals and often fails to produce meaningful control (Solove, 2013). Helen Nissenbaum’s work is equally helpful here because it shows that privacy is not just about secrecy but about whether information flows are appropriate to a specific social context (Nissenbaum, 2004, 2010).
The Problem Is Bigger Than a Button
One reason platform consent is so fragile is that it treats privacy as a matter of isolated, one-time decisions. The assumption seems to be that when a user sees a notice and clicks “I agree,” they have knowingly authorised a set of data practices. But this model only works if users can understand what they are agreeing to, anticipate future consequences, and reject unwanted practices without major penalties. In the platform economy, those conditions rarely exist.
Privacy policies are notoriously long and difficult to read. Even when they are simplified, they often describe data practices at a high level rather than showing how information will actually move through an advertising ecosystem, machine-learning system, or network of third-party partners. The average user cannot reasonably track these flows. Solove calls this the “consent dilemma”: privacy law relies heavily on consent because it appears to respect individual freedom, yet the complexity of modern data processing makes that consent largely meaningless in practice (Solove, 2013). Users are formally asked to decide, but the system is structured so that they cannot fully understand what is at stake.
There is also a basic power imbalance here. Users do not negotiate with platforms on equal terms. Meta, Google, TikTok, and other large companies determine the interface, the wording, the defaults, and the consequences of refusing. They decide whether privacy options are prominent or buried, whether the choice is granular or broad, and whether saying “no” is realistic. A user may appear to have agency, but only within a system whose rules have already been designed by the platform. In that sense, privacy choice is constrained before the user even sees the prompt.
Privacy Is About Context, Not Just Disclosure
Another problem with the platform model of consent is that it assumes privacy can be reduced to a simple question: are you willing to share your data or not? Nissenbaum’s theory of contextual integrity shows why that is misleading. Privacy is not just about keeping information secret. It is about whether personal information flows in ways that fit the norms of a particular context. People may willingly share information with friends, teachers, doctors, employers, or online communities, but that does not mean they agree to have the same information analysed for advertising, behavioural prediction, or user classification.
This matters because digital platforms collapse multiple contexts into one infrastructure. A person may use Instagram to follow friends, browse fashion, watch political commentary, and message classmates all in the same session. To the user, these feel like different social activities. To the platform, however, they all generate data points that can be combined, profiled, and monetised. Information that was produced in a social or cultural context is easily repurposed for a commercial one. Contextual integrity is broken when data given in one setting is redirected into another without users truly understanding that shift (Nissenbaum, 2004, 2010).
That is why the problem with platform privacy cannot be solved simply by improving notice-and-consent forms. Even a clearer privacy policy would not fully address the underlying issue: people cannot meaningfully consent to every future data flow in an environment where those flows are dynamic, interconnected, and continuously evolving. One click cannot capture the complexity of platformed data use.
How Platforms Turn Privacy Into Individual Responsibility
Digital platforms have been very successful at turning privacy into a personal management problem. They tell users that privacy is something they can control through better choices: read the policy, check the settings, disable certain permissions, clear your history, reject cookies, or opt out of personalised ads where possible. This language sounds empowering, but it also performs an ideological function. It shifts responsibility away from the companies designing the system and onto the individuals using it.
Once privacy is framed this way, harms can be blamed on users themselves. If your data is collected, tracked, combined, or used to infer sensitive characteristics, the implication is that you should have been more careful. But this ignores the reality of information asymmetry. Platforms know vastly more than users about what is collected, how it is analysed, who receives it, and what can be inferred from it. Users see the surface of the service; platforms see the full back-end architecture.
This is exactly why platform privacy should be understood as a governance issue rather than just a consumer issue. Terry Flew argues that platform regulation has become central because platforms exercise significant power over communication, markets, and everyday life (Flew, 2021). Nicolas Suzor similarly shows that digital environments are governed by private rules that users do not meaningfully shape (Suzor, 2019). Privacy choices on platforms therefore do not happen in a neutral environment. They happen in privately governed spaces where users are dependent on infrastructures they did not design and cannot easily leave. That makes “choice” a weak safeguard.
Why Targeted Advertising Exposes the Limits of “Consent”
Targeted advertising is perhaps the clearest example of why digital privacy choice is often just for show. Platforms frequently present personalised advertising as beneficial to everyone. Users see ads that are supposedly more relevant. Advertisers reach likely customers more efficiently. Platforms can therefore keep services “free.” But this polished narrative hides a much more troubling system.
Targeted advertising depends on persistent observation, categorisation, and prediction. Platforms do not only use information that users voluntarily type into a profile. They also analyse browsing behaviour, likes, views, dwell time, social networks, location signals, device information, app activity, and inferred interests. Over time, this creates a commercial portrait of the user: what they may want, fear, need, believe, or be vulnerable to. This portrait is never fully visible to the user, and users usually do not know how their data has been combined, what assumptions have been made, or how those assumptions shape what they are shown.
That opacity matters because the issue is not simply that personalised ads feel invasive. It is that the ad system classifies people and treats them differently on the basis of hidden inferences. This can affect who is seen as persuadable, profitable, risky, or valuable. It can also reproduce inequalities. As Marwick and boyd argue, privacy is harder to achieve at the margins, especially for people with less power, fewer resources, and fewer options to opt out of datafied systems (Marwick & boyd, 2018). In other words, the burden of “managing” privacy does not fall evenly.
Meta’s “Pay or Consent” Model Shows What Fake Choice Looks Like
A particularly revealing current case is Meta’s “pay or consent” model in the European Union. In 2023, Meta began offering users in the EU a binary choice: either pay for an ad-free subscription version of Facebook and Instagram or continue using the services for free while consenting to personalised advertising based on the processing of personal data. On the surface, this looked like the sort of privacy choice platforms often claim to support. Users were not simply forced into one option; they were given alternatives.
However, European regulators quickly challenged that framing. In April 2024, the European Data Protection Board adopted Opinion 08/2024 on “consent or pay” models used by large online platforms. The Board said such models must provide a real choice and stressed that, in most cases, large online platforms should consider offering people a free alternative that does not rely on behavioural advertising. The EDPB’s concern was that consent cannot be regarded as freely given if users are pushed into agreeing because the alternative is financially or socially costly.
The European Commission then moved further. In July 2024, it announced preliminary findings that Meta’s model breached the Digital Markets Act because it did not give users the required choice of a service that uses less of their personal data. In April 2025, the Commission formally found Meta in breach of the DMA and fined the company €200 million, stating that Meta had failed to give consumers a choice of a service that uses less personal data.
This case matters because it exposes the difference between formal and substantive consent. Meta could argue that no one was literally forced: users could pay, consent, or leave. But regulators focused on a deeper question: when a platform occupies such a central role in social and communicative life, can that really count as free agreement? If refusing personalised advertising means paying money or losing full access to major platforms, the “choice” is already heavily constrained. That is precisely why this case is so useful for understanding platform privacy. It shows that consent cannot be judged only by the presence of a button or menu. It must also be judged in light of dependency, market power, and realistic alternatives.
Meta later announced changes for EU users in November 2024, including a lower subscription price and a new “less personalized ads” option for those who continue to use Facebook and Instagram for free. Even Meta’s own announcement made clear that these changes were a response to regulatory developments in Europe rather than a spontaneous rethinking of user autonomy. This is important because it suggests that meaningful privacy protection is more likely to come from external governance than from the goodwill of platforms themselves.
Why Better Privacy Requires Structural Change
Australia’s privacy reform discussions point in the same direction. The Australian Government released its response to the Privacy Act Review Report in September 2023. Then, on 29 November 2024, Parliament passed the Privacy and Other Legislation Amendment Act 2024, which progressed 23 proposals from that response, including a framework for a Children’s Online Privacy Code and a new statutory tort for serious invasions of privacy. These reforms matter because they recognise that older privacy models are not adequate for contemporary digital environments.
Still, legal reform will remain limited if it does not address the underlying business model of large platforms. A stronger approach would reduce reliance on privacy self-management and shift the burden upward. That means stricter limits on data minimisation, clearer obligations around cross-context data use, stronger rights to refuse profiling, and closer scrutiny of advertising systems built on hidden inference. It also means recognising that privacy is not merely a preference that users can trade away casually.
The Real Question Is Whether We Can Say No
Digital platforms like to tell users that privacy is in their hands. It is a powerful story because it turns a structural problem into an individual one. If you were tracked, profiled, or nudged, perhaps you should have read the fine print more carefully. But that explanation no longer holds. When consent is bundled with dependency, buried in complexity, and shaped by market power, it cannot do the moral and legal work platforms want it to do.
So did we ever really consent? Sometimes, perhaps. But in many cases, what looks like privacy choice is better understood as a managed performance of agreement. The system is designed to make saying yes easier, cheaper, and more realistic than saying no. Until privacy governance moves beyond the fantasy of perfectly informed individual choice, digital platforms will continue to stage consent while keeping control for themselves.
Reference
Attorney-General’s Department. (2023, September 28). Government response to the Privacy Act Review Report. Australian Government. https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report
Attorney-General’s Department. (2024). Privacy and Other Legislation Amendment Act 2024. Australian Government. https://www.legislation.gov.au/C2024A00128/asmade
European Commission. (2024, July 1). Commission sends preliminary findings to Meta over its “pay or consent” model for breach of the Digital Markets Act. https://digital-markets-act.ec.europa.eu/commission-sends-preliminary-findings-meta-over-its-pay-or-consent-model-breach-digital-markets-act-2024-07-01_en
European Commission. (2025, April 23). Commission finds Apple and Meta in breach of the Digital Markets Act. https://digital-strategy.ec.europa.eu/en/news/commission-finds-apple-and-meta-breach-digital-markets-act
European Data Protection Board. (2024, April 17). Opinion 08/2024 on valid consent in the context of consent or pay models implemented by large online platforms. https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en
Flew, T. (2021). Regulating platforms. Polity.
Marwick, A. E., & boyd, d. (2018). Understanding privacy at the margins. International Journal of Communication, 12, 1157–1165. https://ijoc.org/index.php/ijoc/article/view/7053
Meta. (2024, November 12). Facebook and Instagram to offer subscription for no ads in Europe. https://about.fb.com/news/2024/11/facebook-and-instagram-to-offer-subscription-for-no-ads-in-europe/
Nissenbaum, H. (2004). Privacy as contextual integrity. Washington Law Review, 79(1), 119–158.
Nissenbaum, H. (2010). Privacy in context: Technology, policy, and the integrity of social life. Stanford University Press.
Solove, D. J. (2013). Privacy self-management and the consent dilemma. Harvard Law Review, 126(7), 1880–1903. https://harvardlawreview.org/print/vol-126/introduction-privacy-self-management-and-the-consent-dilemma/
Suzor, N. P. (2019). Lawless: The secret rules that govern our digital lives. Cambridge University Press.
Zuboff, S. (2019). The age of surveillance capitalism: The fight for a human future at the new frontier of power. PublicAffairs.
Be the first to comment