In this age of big data, whether we’re browsing social media or shopping websites, we’re constantly bombarded with ads for various products. Often, these ads promote exactly what we need, thanks to advertisers’ personalized, targeted advertising. Opinions on this feature are divided: some view personalized ads as an invasion of privacy, while others see them as a way to make life more convenient. On YouTube, there are plenty of people searching for both how to turn this feature on and how to turn it off.
Where Do Personalised Ads. Come From?
Targeted advertising is a marketing strategy in which companies use data and digital technologies to collect personal information—such as gender, age, income, and location—and then use algorithms to display ads tailored to an individual’s interests. The goal is to enhance user experience and engagement by offering personalized interactions and promotions. For example, a luxury men’s watch brand would show ads only to men aged 35 and up+ with high incomes in major cities.
But how do they acquire our data? Actually, brands use first- and third-party cookies to track individuals’ online behavior. A cookie means a small piece of code that follows you around the internet collecting data about the websites you visit, the products you look at, and the type of searches you conduct. It is also known as a pixel. Cookies help the company learn about its consumers and serve as a convenience for the shopper who would not want to re-enter information or start shopping whenever they revisit a site.
Online stores will use cookies to record visitors’ information on the site. This includes login information, items in their shopping carts, and other preferences, Brands often include cookies from their advertising platforms, such as Facebook or Google.
Not Your Input, But Your Tracings
Take Google for example, it has numerous methods of gathering your information because it is present in so many aspects of the typical user’s life, from web searches to YouTube video consumption. Even details like the Android apps you install and the places you visit based on Google Maps can be gathered and, depending on corporate policy, used to tailor your advertisements. Additionally, a lot of websites take part in a service called AdSense, which enables them to show visitors more relevant advertisements while also giving Google data.
In a similar way, Facebook gathers every piece of data you produce while accessing its social media platforms, such as Facebook, Instagram, and Messenger. Based on your interests and demographics, Facebook groups you into “cohorts” that advertisers may use to target specific audiences. Your advertising profile is created by these apps using your page likes, post likes, recent searches, and personal data.
The crucial issue is that, for the most part, the data being utilized are not those that the user directly provides to the digital product or service provider; these are safeguarded by privacy regulations, albeit insufficiently. Instead, they are aggregated data and deidentified or pseudo-anonymous data that can be used again without the actual product or service being provided (Flew, 2021).
Are You Actually Saying Yes?
However, are these consents truly choices that we get to make?
Before we start using social media platforms like X and Facebook, before all of the above happens, there is one crucial step: we must agree to their privacy policies. By clicking “I Agree,” we are effectively trading some of our privacy and data for the right to use these platforms. Our usage data may be collected and analyzed, ultimately becoming part of “user experience improvement initiatives” or serving as the basis for personalized advertising. For the vast majority of us, this is already a common reality; in a sense, it can even be viewed as the foundation of social media’s business model.
However, there is a gap between what we agreed to and what we understood. How many of us actually understand any of it when we choose to agree? Are these consents truly choices that we get to make?
One line of reasoning is that as long as users agree to how their data is used, the platform’s actions are lawful. The question is: does this logic really hold up in the context of digital platforms?
First of all, most people do NOT read the terms of service. Research indicates that over 80% of users do not read the terms of service carefully before accepting them. If they were to actually read them, it would take the average person more than six and a half hours to read the terms of service for their top ten downloaded apps. In a study by Home Security Heroes, 79% of respondents believe that applications intentionally make their terms of service complex and lengthy for questionable reasons.
Second, refusing to agree to terms can mean being left out. When a social platform like Instagram has billions of users, and when its services have essentially become part of the infrastructure of online social life—following social updates, checking the news, and so on—refusing to click “Agree” means refusing to use the platform. Users have no easy way to negotiate; we can only choose to accept the terms or reject them and still use the platform, but only with extremely limited functionality, making normal use completely impossible.
What could this mean? It means we would be opting out of one of the primary means of social connection in this data age. Imagine refusing to use WhatsApp and giving up all its features. Although we could still use X, Instagram, and other platforms to communicate with friends and family, using these apps also requires us to agree to their terms of service. In other words, no matter how we choose, we cannot fully protect our privacy from the various companies out there on the Internet. This cannot be considered a true choice. Genuine consent requires the genuine ability to refuse, and that ability does not fully exist here.
Thirdly, these terms were originally designed and implemented to protect the company’s interests. Generally speaking, terms of service grant service providers extensive authority. Particularly for large corporate platforms, these terms are drafted to safeguard their commercial interests. They grant platform operators absolute discretion, enabling them to establish and enforce rules based on their own judgment. Terms of service are not intended to serve as regulatory documents; they are designed to protect the company’s legitimate rights and interests, they are almost all very careful to promise nothing and reserve almost absolute discretion to the owner of the network (Suzor, 2019).
Even if we do take the time to read the terms and click “I Agree,” those terms can also change. Platforms can unilaterally amend their terms of service at any time, typically by sending a notification email to an inconspicuous corner of the site, some companies even change their terms without notifying the users. The agreement you initially accepted may be a completely different document from the one governing your data usage six months later. Yet the law still considers you to have “consented.”
When considered together, these three points suggest the possibility that, in this context, “consent” does not describe an expression of the user’s own will, but rather resembles a carefully engineered act of compliance.
The most direct consequence of this unequal exchange is the abuse of user privacy. The 2018 Facebook scandal is one of the most notorious examples of this; in that incident, the data of millions of Facebook users was collected without their consent and used for political advertising, leading to Facebook being sued and ultimately fined a massive sum. That same year, the EU’s General Data Protection Regulation (GDPR) officially took effect, hailed as the strictest privacy protection law in history. But are things really moving in the right direction?
Is The Law Really Protecting Us?
If consent mechanisms form the foundation of platform power, then it can be argued that, in this process, the role played by privacy regulations is less about constraining platforms and more about providing legal validation of their power.
Take the GDPR as an example: its core framework still relies on “informed consent” as the basis for legitimacy, requiring platforms to obtain users’ explicit consent before collecting data, and stipulating that such consent must be “freely given, specific, informed, and unambiguous.” These requirements sound strict, but they fail to address a fundamental issue: in a structure where users lack the genuine ability to refuse, no form of consent can meet these standards. The GDPR enshrines “consent” in law, but the “consent” it protects may have been a fiction from the very beginning (Solove, 2023).
The Cambridge Analytica scandal illustrates this point even more clearly. After the scandal broke, Facebook accepted the largest settlement in the history of the U.S. Federal Trade Commission—a $5 billion fine. This figure sounds enormous, but statistic shows that it represents only a small fraction of Facebook’s revenue, amounting to approximately 9% of its profit from the previous fiscal year (TechBloat, 2025).
More importantly, the terms of the settlement were negotiated with deep involvement from Facebook’s legal team, and the end result was that the platform gained clarity on which data practices are permitted and which should be avoided. In other words, following the scandal, rather than being locked in a cage, Facebook was given a detailed map outlining the boundaries of that cage.
Mark Zuckerberg subsequently made a public appeal for the government to strengthen internet regulation. This could perhaps be interpreted as a CEO’s gesture of repentance. However, regulations designed to protect consumers may reshape the competitive landscape in ways legislators did not anticipate. But if you understand what regulation means for large platforms, the logic behind this stance becomes very clear: regulatory compliance generates fixed costs, and only large platforms can bear these compliance costs; the more complex the regulatory framework, the higher the barriers to entry for smaller competitors. Following the implementation of the General Data Protection Regulation (GDPR), the profitability of small IT companies declined by 12%, while that of large IT companies fell by only 4.6%. From this perspective, it can be argued that legal regulation has not truly curbed platform power; rather, it has merely consolidated that power and stamped it with the seal of democratic procedure.
This legal vacuum has led to an obvious consequence: people’s right to privacy is not protected.
Companies can use these terms of service and privacy policies to process personal information on an industrial scale, and they can also engage in “dataveillance,” which is “the monitoring of citizens on the basis of their online data” (Flew, 2021). To give a concrete example, suppose one day you and a book-loving friend plan to go out to eat downtown. During your conversation, you discuss some recent bestsellers, and just then you pick up your phone and notice it’s pushing a major sale at a downtown bookstore. This is truly unsettling; you might even think, “Is my phone listening to me?” In fact, with access to your vast amount of data, achieving this is merely a matter of simple logical inference. Your friend’s browsing history likely reveals their reading preferences, and your phone’s location data shows that you are currently together. Therefore, with just a little data analysis and logical inference, Google might conclude that you are in the mood to browse a bookstore. Without actually eavesdropping on anyone, a phone can act as if it has ears, precisely delivering personalized ads.
A Different Starting Point
Past discussions on privacy policies have always been based on the framework of “informed consent,” but what if the framework itself is the problem? If informed consent serves as the basis for legitimacy, then the real question that needs to be asked is: How do we verify the legitimacy of consent? Currently, the power of interpretation leans heavily toward the platforms. Platforms effectively hold complete autonomy over their terms of service, and large companies like Facebook even have the capacity to directly influence legislation, ensuring that the final legal framework aligns with their business models. Meanwhile, users’ role in this process is limited to clicking “agree” or “opt out” within the boundaries set by the platform.
Perhaps, to change this logic, we should reverse this premise and grant users more substantive rights to information and a greater say in the matter. Platforms have a responsibility to ensure that users truly understand the main points of the agreement before consenting, and they should take a more proactive role in safeguarding this—for example, by including a brief summary at the beginning or actively notifying users of changes to the terms. This is not a complete solution; dismantling the structural power of platforms is a longer-term, more complex process involving a range of broader issues such as antitrust and platform governance. But it is at least a starting point, because our privacy protection laws cannot continue to be built on flawed premises, and true change may need to begin with acknowledging this premise.
Reference
Flew, T. (2021). Regulating platforms. Polity Press.
Maulana Ahmad. (n.d.). Red hands holding a black silhouette of a head vector [Illustration]. Unsplash. https://unsplash.com/
Home Security Heroes. (n.d.). Do you have enough time to read terms of service? https://www.securityhero.io/time-to-read-terms-of-service/
R Street Institute. (n.d.). Regulations can create the monopolies they’re meant to prevent. https://www.rstreet.org/research/regulations-can-create-the-monopolies-theyre-meant-to-prevent/
Round Icons. (n.d.). A computer screen with a check mark on it vector [Illustration]. Unsplash. https://unsplash.com/
Shopify. (2025). Personalized advertising: How it works and examples. https://www.shopify.com/blog/personalized-advertising
Solove, Daniel J., Murky Consent: An Approach to the Fictions of Consent in Privacy Law (August 20, 2023). 104 Boston University Law Review 593 (2024), GWU Legal Studies Research Paper No. 2023-23, GWU Law School Public Law Research Paper No. 2023-23, Available at SSRN: https://ssrn.com/abstract=4333743 or http://dx.doi.org/10.2139/ssrn.4333743
Suzor, N. (2019). Lawless: The secret rules that govern our digital lives. Cambridge University Press.
TechBloat. (2025). FTC officially announces it’s slapping Facebook with a $5 billion fine. https://[FTC officially announces it’s slapping Facebook with a $5 billion fine – TechBloat]
Wikipedia. (2025). Facebook–Cambridge Analytica data scandal. https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal
Fox Business. (2019, April 1). Facebook’s Mark Zuckerberg calls for internet regulations. YouTube. https://www.youtube.com/watch?v=sAKln3tz_iA
Be the first to comment