Consent as Friction
66 B.C. L. Rev. (forthcoming 2025)
74 Pages Posted: 28 Aug 2024
Date Written: August 02, 2024
Abstract
The leading technology platforms generate several hundred billion dollars annually in revenue through algorithmically personalized advertising—with pernicious effects on our privacy, mental health, and democracy. To fuel their data-hungry algorithms, these platforms have long conditioned access to their services on far-reaching authorizations, embedded in boilerplate terms, to extract their users’ data. Until recently, privacy-sensitive alternatives were unavailable—even for a premium. Users faced a stark choice: submit to surveillance or forgo digital participation. I term this business practice 'surveillance by adhesion.'
In July 2023, however, the European Court of Justice ruled in Meta v. Bundeskartellamt that surveillance by adhesion violated the European Union’s General Data Protection Regulation. To comply with the EU’s new regulatory paradigm, the leading (predominantly American) platforms must fundamentally revise their business models. They must either abandon personalized advertising or obtain individuals' informed consent. In practice, the EU’s stringent guardrails—which mandate providing users with ‘real choice’ beyond mere consent pop-ups and granular control—may render consent so onerous to secure, precarious to sustain, restrictive to operationalize, and prone to litigation that they undermine the commercial viability of personalized advertising. Rather than empowering users to exercise control over their data, the consent mechanism may thus manifest as a vehicle for welcome friction, prompting a shift towards less invasive contextual advertising.
Building on these insights, this Article contends that U.S. policymakers and regulators should, and indeed can, likewise leverage consent as friction to undermine the economic viability of personalized advertising and other harmful surveillance-driven business models. This approach offers a pragmatic alternative to failed notions of user control over data, especially as democratic data governance too often remains beyond reach. Although the EU's new regulatory paradigm offers one model, there are multiple avenues to harness consent as a source of friction across different legal contexts. In fact, state-level biometric privacy laws exemplify this strategy's efficacy domestically. Their qualified consent requirements have thrown so much sand in the gears of biometric data collection and use that several leading technology companies have refrained from launching intrusive facial recognition applications altogether. By adopting this friction-based strategy, the Federal Trade Commission and state privacy enforcers can effectively establish potent data usage limitations.
Keywords: Consent, Data Protection, Privacy, GDPR, Biometric Privacy, Friction, Surveillance, Surveillance by Adhesion, Choice, Illinois, Texas, Contract, Data Relations
Suggested Citation: Suggested Citation