Did you really “agree”? —— Why is clicking “Agree” never a privacy option?
Have you ever experienced this?
You download a new app, and as soon as you open it, a whole page of dense privacy policies pops up. Before you even finish reading the first line, you have already clicked “Agree.”
This is not because you truly understand and accept these terms, but because you have no choice.
If you don’t agree, you cannot use this service; if you carefully read that lengthy and complex legal jargon, it not only takes a lot of time but also may not truly help you understand how your data will be used. So, in our daily lives, we keep repeating this action: click “Agree” and then continue using.
But behind this simple action, we are actually handing over our chat records, location data, browsing habits, and even biometric information.
In the era dominated by digital platforms, privacy issues are no longer a matter of personal “choice” or “control” but a structural issue of power. In other words, the real problem is not whether users click “Agree,” but whether we should continue to base privacy protection on “agreement”—perhaps it’s time to shift from “user agreement” to “platform accountability.”
Who has stolen our privacy?
Traditionally, privacy was understood as the “right to be left alone”. As early as 1890, Warren and Brandeis proposed that privacy meant an individual’s protection from external interference and snooping (Warren & Brandeis, 1890).
However, this definition has become overly simplistic today.
With the development of digital technology, our lives have been continuously datafied. Privacy is no longer just “whether others see me”, but:
- Who is collecting my data?
- How are these data analyzed?
- Where will they go?
As Flew (2021) pointed out, digital platforms redefine the boundaries of privacy through data collection, analysis, and trading. In this “platformised society”, users are no longer the controllers of privacy, but rather “raw materials” in the platform’s business model.
Where is the problem?
The core of the privacy issue lies not in whether users are careful, but in the inequality of power.
Firstly, there is a serious information asymmetry. Users usually do not know how much data the platform collects, nor do they know how these data are used, and they cannot even know to which third parties the data is shared.
Secondly, there is the issue of rule-making power. As Suzor (2019) emphasized: “Who makes the rules, who has the power.” In the contemporary Internet environment, these rules are not set by the state or users, but by the platform companies themselves.
Users seem to have the right to choose, but in reality, they can only make limited choices within the framework set by the platform: either click “agree” or exit.
However, “exit” is often not realistic. Social media has become part of the social infrastructure. For example, work communication may rely on WeChat, and friend contact may rely on TikTok. In such cases, exiting the platform means being excluded from social life.
As Marwick and Boyd (2019) pointed out, privacy is actually a “privilege”. Those in the social margins have the least ability to protect their privacy because they have no other choice.
Contextual Integrity: Why “Consent” Isn’t Enough?
To understand why the “consent model” cannot truly protect privacy, one must not overlook an important concept proposed by Helen Nissenbaum: Contextual Integrity.
This theory holds that the essence of privacy lies not in whether the information is shared, but in whether it flows in an “appropriate context” (Nissenbaum, 2018).
For instance, in a hospital, it is reasonable for a doctor to view your medical records; however, if the same information is used by an insurance company or an advertiser, it constitutes an infringement on privacy.
That is to say, privacy is not a matter of “whether to consent”, but rather a question of “how the information flows”.
However, digital platforms have precisely broken these contextual boundaries.
For example, when you discuss travel plans with friends on a social media app, you will soon see flight advertisements; the health issues you searched for may appear in various recommended content. These data are not “stolen”, but are used under the condition that you click “consent”.
The problem lies in that: what you consent to is the use of data in a specific context, rather than the use in all commercial scenarios.
Therefore, when you click ‘consent’, you actually do not know how many contexts we never expected will use these data – and this opacity is precisely the result of the platform’s deliberate design.”
The Cambridge Analytica Incident: When “Agreement” Becomes a Hoax
The Cambridge Analytica incident in 2018 was perhaps the most typical example.
At that time, a political consulting company launched a seemingly harmless personality quiz app. Many users participated in it just for the sake of having fun, but this app collected data of approximately 87 million Facebook users, including not only the participants but also their friends’ information (Goggin et al., 2017).
These data were not used for “personality analysis” but were instead employed in the targeted political advertising during the 2016 US presidential election and the Brexit referendum.
This is where the problem lies.
Those who clicked “agree” thought they were just participating in an interesting little test. What they agreed to was the use of the data for this application, not for being sold to political campaign teams.
This is why many people consider this not only data abuse but more like a “hoax”.
But the deeper problem is not just this app.
In a platform environment, the rules are always set by the platform itself. Users may seem to have choices, but in reality, they can only make limited decisions within the established framework: either agree or leave.
As Suzor (2019) said, thinking that you are using a service, in fact, you are being governed by a private governance.
More realistically, “leaving” often is not an option. When these platforms have become part of daily life, the cost of exiting is so high that most people cannot afford it (Goggin et al., 2017).
After the Cambridge Analytica incident, Facebook was fined 5 billion US dollars, the EU strengthened GDPR, and Australia began to promote privacy law reforms.
But have the problems really been solved?
Australian Privacy Law Reform: Progress or Compromise?
In response to these issues, governments around the world have indeed begun to strengthen privacy regulation. Taking Australia as an example, the privacy law reforms in recent years have brought about a series of changes.
For instance, if an individual’s privacy is severely violated, users can now directly file a lawsuit under statutory tort instead of relying solely on the intervention of regulatory agencies. At the same time, starting from 2025, social media platforms are required to take measures to prevent users under the age of 16 from registering accounts; otherwise, they may face hefty fines. Additionally, doxxing, or publicly revealing someone’s identity, has been officially classified as a criminal offense, and maliciously disseminating others’ personal information may even result in imprisonment.
These changes seem to indicate a significant shift: Privacy is no longer merely a matter of users’ “agreement” or “disagreement”, but is once again regarded as a fundamental right that requires legal protection.
However, the question is, have these reforms truly changed the power relationship between platforms and users?
The answer may not be optimistic.
As Suzor (2019) pointed out, as long as platforms still hold the power to formulate rules and as privacy terms remain lengthy and complex legal texts, users will always be in a disadvantaged position. Theoretically, users can seek legal redress, but in reality, how many people have the time, resources, and ability to go to court?
From a broader perspective, Flew (2021) believes that the current privacy governance is more like a game between the state and platforms. In this game, the regulatory capacity of the state may be strengthening, but users are often still marginalized.
More crucially, the core business model of platforms has not changed. They still rely on data collection and targeted advertising to make profits. As Kemp (2023) criticized, these reforms largely accept this reality – in exchange for user privacy, the advertising industry continues to operate.
In other words, the law may be advancing, but the power structure has not fundamentally changed.
Why is “agreeing” never enough?
Why is “clicking to agree” never enough?
The problem lies in the fact that this “consent model” is based on several untenable premises.
Firstly, it assumes that users have equal bargaining power. But in reality, users have virtually no room to negotiate when facing the platform – either accept or leave, and “leaving” is often not feasible.
Secondly, it assumes that users have sufficient information to make rational choices. But privacy terms are often written in obscure and complex language, and users have neither the time nor the ability to truly understand these contents. Therefore, this is not a “choice”, but more like a forced acceptance.
Thirdly, it regards privacy as an individual issue. But as Marwick and Boyd (2019) pointed out, privacy is actually a social structural issue. Those who can protect privacy often have more resources; while the groups that need the most protection of privacy have the least ability to do so.
Finally, it ignores “contextual integrity“. Nissenbaum (2018) pointed out that the key to privacy is not whether to agree, but whether the information flows in the appropriate context. When information in one context is extended to a completely different scenario, the initial “agreement” loses its meaning.
Conclusion: From “Agreement” to “Accountability”
If “clicking ‘agree'” has never truly been a choice, then privacy protection cannot continue to rely on users reading the terms and clicking the button. Instead, it must shift to “platform accountability”.
From a legal perspective, the key is not just to make users “informed”, but to enable them to more easily file complaints, file lawsuits, and receive compensation when their privacy is violated, while also giving regulatory agencies the ability to punish the platform. Only when the cost of violating the rules truly increases will the platform change its data usage methods.
In platform design, “agreement” should not merely be a form. The terms should no longer be written in a lengthy and obscure manner, but should clearly state the purpose, destination, and use of data collection, especially the parts related to advertising and data sharing. The platform needs to reduce the opaque “black box” operations.
Of course, users can also make some changes. Before clicking “agree” next time, at least stop for a moment and think: Are these permissions really necessary?
In the end, privacy protection should no longer be based on users’ “agreement”, but on the responsibility of the platform.
Reference List
Flew, T. (2021). Regulating platforms. Polity.
Goggin, G., Vromen, A., Weatherall, K., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017). Digital rights in Australia. University of Sydney.
Kemp, K. (2023). Privacy Act Review Report 2022: Analysis and critique. UNSW Law Journal.
Marwick, A., & boyd, d. (2019). Understanding privacy at the margins. International Journal of Communication, 13, 1157–1165.
Nissenbaum, H. (2018). Respecting context to protect privacy: Why meaning matters. Science and Engineering Ethics, 24(3), 831–852.
Suzor, N. P. (2019). Lawless: The secret rules that govern our lives. Cambridge University Press.
Warren, S., & Brandeis, L. (1890). The right to privacy. Harvard Law Review, 4(5), 193–220.
Be the first to comment