Why People Don’t Demand Data Privacy, Even As Governments & Corporations Collect More Personal Info
from the don't-give-up-hope dept
When the Trump administration gave Immigration and Customs Enforcement access to a massive database of information about Medicaid recipients in June 2025, privacy and medical justice advocates sounded the alarm. They warned that the move could trigger all kinds of public health and human rights harms.
But most people likely shrugged and moved on with their day. Why is that? It’s not that people don’t care. According to a 2023 Pew Research Center survey, 81% of American adults said they were concerned about how companies use their data, and 71% said they were concerned about how the government uses their data.
At the same time, though, 61% expressed skepticism that anything they do makes much difference. This is because people have come to expect that their data will be captured, shared and misused by state and corporate entities alike. For example, many people are now accustomed to instinctively hitting “accept” on terms of service agreements, privacy policies and cookie banners regardless of what the policies actually say.
At the same time, data breaches have become a regular occurrence, and private digital conversations exposing everything from infidelity to military attacks have become the stuff of public scrutiny. The cumulative effect is that people are loath to change their behaviors to better protect their data − not because they don’t care, but because they’ve been conditioned to think that they can’t make a difference.
As scholars of data, technology and culture, we find that when people are made to feel as if data collection and abuse are inevitable, they are more likely to accept it – even if it jeopardizes their safety or basic rights.
Where regulation falls short
Policy reforms could help to change this perception, but they haven’t yet. In contrast to a growing number of countries that have comprehensive data protection or privacy laws, the United States offers only a patchwork of policies covering the issue.
At the federal level, the most comprehensive data privacy laws are nearly 40 years old. The Privacy Act of 1974, passed in the wake of federal wiretapping in the Watergate and the Counterintelligence Program scandals, limited how federal agencies collected and shared data. At the time government surveillance was unexpected and unpopular.
But it also left open a number of exceptions – including for law enforcement – and did not affect private companies. These gaps mean that data collected by private companies can end up in the hands of the government, and there is no good regulation protecting people from this loophole.
The Electronic Communications Privacy Act of 1986 extended protections against telephone wire tapping to include electronic communications, which included services such as email. But the law did not account for the possibility that most digital data would one day be stored on cloud servers.
Since 2018, 19 U.S. states have passed data privacy laws that limit companies’ data collection activities and enshrine new privacy rights for individuals. However, many of these laws also include exceptions for law enforcement access.
These laws predominantly take a consent-based approach – think of the pesky banner beckoning you to “accept all cookies” – that encourages you to give up your personal information even when it’s not necessary. These laws put the onus on individuals to protect their privacy, rather than simply barring companies from collecting certain kinds of information from their customers.
The privacy paradox
For years, studies have shown that people claim to care about privacy but do not take steps to actively protect it. Researchers call this the privacy paradox. It shows up when people use products that track them in invasive ways, or when they consent to data collection, even when they could opt out. The privacy paradox often elicits appeals to transparency: If only people knew that they had a choice, or how the data would be used, or how the technology works, they would opt out.
But this logic downplays the fact that options for limiting data collection are often intentionally designed to be convoluted, confusing and inconvenient, and they can leave users feeling discouraged about making these choices, as communication scholars Nora Draper and Joseph Turow have shown. This suggests that the discrepancy between users’ opinions on data privacy and their actions is hardly a contradiction at all. When people are conditioned to feel helpless, nudging them into different decisions isn’t likely to be as effective as tackling what makes them feel helpless in the first place.
Resisting data disaffection
The experience of feeling helpless in the face of data collection is a condition we call data disaffection. Disaffection is not the same as apathy. It is not a lack of feeling but rather an unfeeling – an intentional numbness. People manifest this numbness to sustain themselves in the face of seemingly inevitable datafication, the process of turning human behavior into data by monitoring and measuring it.
It is similar to how people choose to avoid the news, disengage from politics or ignore the effects of climate change. They turn away because data collection makes them feel overwhelmed and anxious – not because they don’t care.
Taking data disaffection into consideration, digital privacy is a cultural issue – not an individual responsibility – and one that cannot be addressed with personal choice and consent. To be clear, comprehensive data privacy law and changing behavior are both important. But storytelling can also play a powerful role in shaping how people think and feel about the world around them.
We believe that a change in popular narratives about privacy could go a long way toward changing people’s behavior around their data. Talk of “the end of privacy” helps create the world the phrase describes. Philosopher of language J.L. Austin called those sorts of expressions performative utterances. This kind of language confirms that data collection, surveillance and abuse are inevitable so that people feel like they have no choice
Cultural institutions have a role to play here, too. Narratives reinforcing the idea of data collection as being inevitable come not only from tech companies’ PR machines but also mass media and entertainment, including journalists. The regular cadence of stories about the federal government accessing personal data, with no mention of recourse or justice, contributes to the sense of helplessness.
Alternatively, it’s possible to tell stories that highlight the alarming growth of digital surveillance and frame data governance practices as controversial and political rather than innocuous and technocratic. The way stories are told affects people’s capacity to act on the information that the stories convey. It shapes people’s expectations and demands of the world around them.
The ICE-Medicaid data-sharing agreement is hardly the last threat to data privacy. But the way people talk and feel about it can make it easier – or more difficult – to ignore data abuses the next time around.
Rohan Grover is Assistant Professor of AI and Media at American University and Josh Widera is a Ph.D. Candidate in Communication at USC Annenberg School for Communication and Journalism. This article is republished from The Conversation under a Creative Commons license. Read the original article.
Filed Under: data breaches, ecpa, privacy, privacy law, privacy paradox, privacy rights, third party doctrine
Comments on “Why People Don’t Demand Data Privacy, Even As Governments & Corporations Collect More Personal Info”
maybe
Requiring companies to pay fair market value to us for our data might slow things down, and give us a good trickle income.
I think this may be overstating the amount of contrast. For example, in many of the European countries that people think have good privacy laws, hotel operators are required to pre-emptively copy guest’s passports and hand the data directly to police daily. Even in countries with a history of “secret police” and such abusing people’s data. By contrast, U.S. hotel operators have gotten into legal trouble for doing it without a warrant. Similarly, last I heard, Americans can sign up for phone service without showing identification, which is not legal in some European countries.
Speaking of “options for limiting data collection are often intentionally designed to be convoluted, confusing and inconvenient”, the same could be said of laws. Look at what Max Schrems has had to go through to get Facebook to comply with privacy laws. This is a person with legal training, and it’s still been over a decade with only intermittent victories. Every time the E.U. declare some data-sharing agreement illegal, they make a new one that’s basically the same; then it takes another few years for courts to realize that and strike it down, and Facebook continues their usual behavior in the meantime.
It's obvious....
If journalists stopped using newspeak words like “collected” or “harvested” or “data broker” etc etc etc …
It’s data rape. “Theft” requires that the original is no longer in possession of the owner, thus I don’t recommend using that term.
Start using actual words instead of the psychological warfare terminology and lots more people will start paying attention.
I was using a site that tracked my data from breaches and information about me available on websites for years. This began after deleting all my social media accounts over a decade ago.
The site never showed more than a dozen sites or sources sharing my data, which I would promptly request its removal or deletion when possible and changed passwords for breaches or deleted the accounts as I learned about them.
I never cleared the list completely. It was sitting at 6 unresolved sources last June. Last August I went to check it and suddenly I had over 600 new hits of data about me. To remove them it meant to manually request each source to delete or remove it or pay a service to do it for me.
That’s more than I accumulated over the previous entire decade overall. I’m way too cheap to pay for removal (I’m disabled) and the amount makes me feel like I’ve wasted my time trying.
Many of the data points were related to arrests from over 15 years ago that are not supposed to appear on background checks anymore (unless I try to get military clearance) and this is the worst part: the data is linked to some poor bastard who happens to have the same name as me. It’s a fairly unique name.
This privacy problem is destroying lives. It is preventing people from finding jobs, getting into colleges, qualifying for loans and more and there is no way to correct the mistakes of these data broker pieces of shit, let alone actually remove it. Half the time I requested sites remove my data they would ignore it or delete it until their next backup replaced it. Even the wrong data. It’s insane.
A cogent, well-argued article.
Too bad it misses the point. It’s not that nobody cares, it’s that nobody knows what to do about it, other than gathering a few thousand people and start yelling in the street that somebody with power do something…ANYTHING.
That’s not going to do anything good. There used to be a system where local party members could collectively bring their concerns to their committees, which were passed up to the committees that selected delegates that brought those items up at national conventions.
That whole system was replaced by “one [person], one vote”, and a slate of candidates who weren’t selected by the grass roots, but presented to them. This, I’ve always been told is “progress”. Well, look where we progressed to.
I’m not as concerned about this or any other issue as I am the vapid assumption newswriters have that I can have any effect toward improving things. The fact that I’ll get scant support from others here just goes to show how little my concerns mean, since blindly voting by party and hoping for the best is the current article of faith for solving anything.
I’m a heretic to that faith, prove me wrong.
Re:
You made an impossible demand, sabotaging itbefore you ever made it.
That’s pretty good work, the world needs more clear thinking like this.
Disclaimer: i am pretty pessimistic myself. i believe most people are dangerously stupid.
A lot of it’s that people don’t have any way of enforcing that demand. In almost every case it’s a matter of Hobson’s Choice: let them collect everything and do anything they want with it, or do without their product or service completely (which in many cases isn’t feasible or, when dealing with the government, legal). Suing over misuse isn’t feasible either. The individual damages are trivial compared to the cost of winning the suit and you can’t collect costs and fees in such cases, and class-action suits yield similar trivial “compensation” and the penalties are tiny compared to the benefits and are just treated as a cost of doing business.
Changing this is going to require reversing the law’s viewpoint entirely, making the baseline “You can’t collect any private data ever for any reason.” and requiring entities to show they absolutely can’t provide their product or service in any form, by any method, without collecting specific data and then prohibiting any use of the data collected for any purpose other than just what it was collected for. That’ll be a hard fight against every lobbyist in existence.