This article was downloaded by: [New York University]

On: 23 April 2015, At: 09:33

Publisher: Routledge
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer
House, 37-41 Mortimer Street, London W1T 3JH, UK

Journal of Media Business Studies

Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/romb20

Non-Informed Consent Cultures: Privacy Policies and

App Contracts on Facebook
a

Anja Bechmann
a

Digital Footprints Research Group Aarhus University

Published online: 16 Mar 2015.

Click for updates

To cite this article: Anja Bechmann (2014) Non-Informed Consent Cultures: Privacy Policies and App Contracts on
Facebook, Journal of Media Business Studies, 11:1, 21-38, DOI: 10.1080/16522354.2014.11073574
To link to this article: http://dx.doi.org/10.1080/16522354.2014.11073574

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the Content) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of
the Content. Any opinions and views expressed in this publication are the opinions and views of the authors,
and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied
upon and should be independently verified with primary sources of information. Taylor and Francis shall
not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other
liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or
arising out of the use of the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions

NON-INFORMED CONSENT CULTURES:

PRIVACY POLICIES AND APP CONTRACTS ON
FACEBOOK
Anja Bechmann

Downloaded by [New York University] at 09:33 23 April 2015

Digital Footprints Research Group

Aarhus University

ABSTRACT: Social networking sites collect extensive personal and

sensitive user data across a wide range of services and users accept this
through a click on the accept-button in their end-user license agreements
(EULAs). By comparing existing regulation and discussion on future
adjustments with studies of consent practices on Facebook, the article
argues that with the growing importance and use of these services the
consent culture of the internet has turned into a blind non-informed
consent culture, heavily relying on social incentives and group dynamics
in decision-making that are not adequately reflected in current and
upcoming privacy regulation.
KEY WORDS: Informed consent, privacy regulation, Facebook, decisionmaking, data disclosure

_____________________________________

INTRODUCTION
Social networking sites such as Facebook are extremely influential as
social data hubs on the internet. Through a simple authentication
process, they collect extensive personal and sensitive user data across a
wide range of services and users accept this through click-wrap
agreements in privacy policies or in third party app contracts.
When signing contracts offline the setting is often formalized in for
instance one-to-one meetings between the client and the company.
Online such formalization is taking place as a pop-up window that has to
be dealt with before returning to the actual task. However, building on
Copyright 2014 Journal of Media Business Studies. Anja Bechmann, Non-informed Consent
Cultures: Privacy Policies and App Contracts on Facebook, 11(1): 21-38 (2014).

Downloaded by [New York University] at 09:33 23 April 2015

22

Journal of Media Business Studies

existing studies the article will show that the practice of pop-up windows
and click-wrap agreements does not transfer the formality from the
offline practices. On the contrary it is debatable if in fact the consent
given can be regarded as informed at all (Solove, 2013).
The intense public criticism of informed consent as a way to
circumvent the processing and protection of personal data online has
influenced the current proposal of a renewed General Data Protection
Regulation in EU (com(2012)11 final). This proposal has an emphasis on
the elaboration of informed consent. In the proposal from the
Commission, the role of consent as a legal basis for processing personal
data is changed, but does it solve the internet cultural problem?
The aim of this article is to use this increased legal focus on informed
consent as a motivation to compare existing privacy regulation with
practices of informed consent in social media. The article sets out to
examine the culture of informed consent on Facebook and the legal
consequences of this culture. Statistics from countries within and outside
EU show that most users of social networking sites do not read the
privacy policies of the sites or the applications from third party
stakeholders that use their data (see e.g. Danmarks Statistik, 2011;
Nissenbaum, 2010; Solove, 2013). Is the agreement between the social
network site and the user legal then? Is it informed consent? This article
will critically discuss the EU directives definition of informed consent in
comparison with the culture of click-wrap agreements on Facebook using
a qualitative case study of 15 Danish high school students.

THEORETICAL FRAMEWORK
The starting point for informed consent in this article is a critical
political economy inspired lens, focusing on internet policy and
regulation. Political economy scholars are preoccupied by the structural
as well as processual power relations in society (Mansell, 2004:97).
Instead of accepting the status quo, scholars often challenge inequality
and what they perceive to be unjust (Wasko, Murdock & Sousa, 2011:3).
Often, political economy studies are focused on the macro-level (Mansell,
2004). Following the macro-level works of Solove (e.g. 2013) and
Nissenbaum (2010; 2011), the article critically discusses how individual
privacy is downplayed as a result of the click-wrap agreement culture on
the internet.
As noted by Nissenbaum, among many other scholars (e.g. Jorstad,
2001; Barnes, 2006), privacy exists in a paradoxical relationship between
wanting privacy on the one side and the need for convenience, discounts
or services on the other (referred to as the privacy paradox), hence the
reason for always discussing privacy in context (Nissembaum, 2010).
Nissenbaum (2011) and Solove (2013) stress the importance of the
consent dilemma when discussing informed consent.

Downloaded by [New York University] at 09:33 23 April 2015

Bechmann - Non-informed Consent Cultures

23

Nissenbaum points not only to the paradoxical relationship in

privacy as such, but also to the paradoxical character of transparency.
We cannot just be more transparent about how internet services use data
in end-user license agreements (EULAs) because it will create
information overload for the users as data flows in internet services
become ever more complex (Nissenbaum, 2011). Solove also calls for
regulative changes in terms of informed consent, but describes the
consent dilemma in a continuum between upholding the need for
privacy self-management to control individual data trades and removing
privacy self-management in turn for a paternalistic approach where
society decides legally how personal data is allowed to be collected and
distributed (Solove, 2011:1894). Due to the individual benefits of data
sharing (cf. the privacy paradox), Solove argues for the need to preserve
the privacy self-management even though these benefits can be very
small compared to the data provided (Acquisti & Grossklags, 2012).
However, Solove stresses the regulative need to broaden the knowledge
of individual decision-making with an emphasis on social values: social
values [] are not adequately reflected in privacy self-management,
which focuses too exclusively on individual choice (Solove, 2013:1893).
Other social science scholars have focused on the social values in
privacy, while fewer have chosen to focus on data disclosure decisionmaking on Facebook. Acquisti & Gross (2006) show how users still use
Facebook and disclose information even though they care about privacy.
The study also shows that users have little knowledge of the actual data
disclosure patterns. Stutzman, Gross & Acquisti (2012) show how privacy
settings on Facebook develop historically following the more open
standard settings of the Facebook interface. In other words, they find
that users in general do not actively choose privacy settings on Facebook.
Boyd & Hargittai (2010), on the other hand, conclude that young
Facebook users are beginning to care about and manage their Facebook
privacy settings.
Raynes-Goldies (2010) study of Facebook users shows greater
concern with social privacy than institutional privacy; they were not
concerned about how Facebook would use their data, but they were
concerned about controlling their data towards their (potential) circle of
friends. Additionally, Boyd & Marwick (2011) show how Facebook users
perform social privacy as social norms of sharing and hiding information,
for instance through encoded messages. In the social science studies of
Facebook, privacy is often dealt with as data disclosure in general and as
social reasons for doing so because they want to be in contact with their
friends.
Motivated by the legal framing, the study presented in this article
zooms in on the social reasons for accepting EULAs, but with a special
focus on the decision-making process that is only implicitly present in the
exemplified social science studies. The research presented here will draw
on a framework of psychological theories of group decision-making (e.g.
Forsyth 2006; Hastie & Kameda, 2005; Janis, 1982; Haslam, 2004). The

Downloaded by [New York University] at 09:33 23 April 2015

24

Journal of Media Business Studies

groups of friends who share the service or app invite through social
referral potentially influence the decision even though an individual
behind a digital device makes the decision. Forsyth describes groups as
two or more individuals who are connected to one another by social
relationships (Forsyth 2006:3). Consequently, this article does not
theorize about Facebook users only as individual selves, but also on users
connected to one another (on Facebook) through interdependent social
relationships as relational and collective selves (Sedikides, Gaertner &
OMara, 2011; Ess & Bechmann, 2013). To Forsyth, interdependency
means that members can be influenced and influence other members in a
group (Forsyth, 2006: 11).
Decision-making in groups often provides significant drawbacks and
lead to poor or misinformed decisions. Janis (1982) uses the term
groupthink to describe how groups strive for unanimity instead of
considering alternative courses of actions. Group thinking tends to
increase with rapid decision-making and the more cohesive groups the
more likely group thinking is. Additionally, Haslam (2004) shows that
groups tend to be more persuaded by consensus than arguments and
Sanders & Baron (1977) show that group members spontaneously
compare themselves to each other and may move away from differences
and towards the groups view. Furthermore, studies show that groups
also make riskier decisions than individuals (Lamm & Myers, 1978) and
free riding or social loafing tends to take place in decision-making
because group members rely on the other members effort thereby
degrading group performance (Hastie & Kameda, 2005). Studying group
judgment processes Kerr et al. (1996) show that group members tend to
conclude that an outcome is less likely to occur if they cannot imagine it.
Therefore groups may falsely rely on oversimplified information in
decisions.
This article will use these psychological findings to discuss the
results of a qualitative case study of data disclosure decision-making and
informed consent culture and secondly to compare it with the legal
definitions. This will add to existing social and regulative studies by
combining micro-level qualitative studies and macro-level legal analysis
to ground the critical discussion in actual usage patterns and the legal
definition of informed consent.

METHODS & CASE STUDY

Methodologically, the article draws on a qualitative study combining
open API (Application Programming Interface) data and screen dump
analysis and semi-structured interviews (Neuhaus & Webmoor, 2012;
Kvale, 1996; for methodological elaboration see Bechmann, 2014
forthcoming); furthermore, the article includes discussion of the findings
in a legal framework consisting of privacy directive interpretations
mainly in EU. Facebook is chosen for the case study because it

Downloaded by [New York University] at 09:33 23 April 2015

Bechmann - Non-informed Consent Cultures

25

represents the internationally most widely distributed social networking

site in the world. Furthermore, Facebook, like Google, has managed to
effectively draw data into their business from external sites and services
through plugins such as Facebook like buttons, Facebook connect and
Facebook applications (Bodle, 2011; Bechmann, 2013). These cases of
third party data usage patterns are significant in the scope of this article
and a special emphasis will be made on the use of apps in the qualitative
study of informed consent practices. The following sections will first
present existing statistics and studies on informed consent practices and
data disclosure and afterwards present the findings from a qualitative
study of informed consent behavior and practices among 15 Danish high
school students. The students were recruited off-line in the classroom in
order to secure external validation of the findings. Even though the
research team knows the participant identities, the data has been
anonymized and the research project authorized by the Danish Data
Protection Agency. Denmark has been chosen as the case study country
because the market penetration of Facebook in the target group is among
the highest in the world (see below). The cultural discussion will lead to a
legal discussion on how informed consent is addressed legally and if this
legal interpretation in fact corresponds or collides with the actual case of
Facebook consent culture following the discussion initiated by especially
Solove (2013).

EXISTING STATISTICS ON DATA SHARING AND

INFORMED CONSENT PRACTICES ON FACEBOOK
The qualitative study is conducted among Danes. This section will
present the Danish use patterns from existing statistical studies in order
to understand and put into perspective the conclusions of the qualitative
study.
In social networks, Danes are the most active sharers in the EU. In
Denmark, 37% of social network users have shared pictures, video, and
music compared to an average of 22% in the rest of the EU (Danmarks
Statistik 2011, p. 24). Of those Danes using the internet, 61% are
members of at least one social network service of which the majority use
the big four (Facebook 57%, LinkedIn 10%, MySpace 5% and Twitter 4%)
and only 9% use other services such as Foursquare.1 16-19 year olds use
social network sites most (93% of all internet users) followed by those
aged 20-39 (80%). The social network service pattern among 16-19 year
olds is different than the average. While 90% use Facebook only 1% use
LinkedIn and as many as 17% use other services. For the 20-39 year
olds, 77% of internet users use Facebook, 14% LinkedIn and 11% other
services. The use of social networking services is most common in urban
areas such as Copenhagen (60%) and the middle of Jutland (54% - center

At the time of registration Google+ was not released yet. Release date 28 June 2011.

Downloaded by [New York University] at 09:33 23 April 2015

26

Journal of Media Business Studies

for the second largest city in Denmark) (Danmarks Statistik, 2011, p.

26).
Nearly half of the Danes trust social services to treat personal
information properly to some degree (47%) and 17% highly trust the
services. Here, age does not make any difference, but only 42% have read
the privacy policies/terms in total or partly. This number is lowest for the
age group 16-19 on 10% yes and 21% yes, partly (Danmarks Statistik, p.
28) and 50% never read or do not consider it relevant to read the terms
for smaller programs connected to the networking services (IT- og
Telestyrelsen 2011, p. 71). However, 78% know how to change the
privacy settings: 87% for the 16-39 year olds and 46% for 60-74 year olds.
In general, only 3-4% of all Danes have experienced misuse of their
personal data on the internet, but there is a growing concern about the
misuse of personal data; the number of people very concerned, or at least
concerned to some degree, rose from 65% in 2009 to 76% in 2010 (IT-og
Telestyrelsen 2011, p. 64). This concern may have resulted in a more
reluctant internet behavior with respect to the submission of personal
data. In 2010, 33% have refrained from giving personal information in
social networking services and 11% discouraged the use of mobile
internet through mobile devices outside the home (IT- og Telestyrelsen
2011, p. 65).
The Danish case study therefore serves as an exemplary case of a
large Facebook penetration and a population that is used to sharing
(social media) data compared to other countries. Furthermore, the
qualitative study focus on high school students in an expensive living
area with above average education level and consequently these students
(if any) should have read the EULAs.

FINDINGS IN QUALITATIVE CASE STUDY ON FACEBOOK

In the qualitative case study of 15 (7 male, 8 female) Danish high school
students, none of them had read the privacy policies of Facebook or
related services. As one of the interviewed said: we joined a long time
ago and they do not read them on a regularly basis to detect changes.
The participants all had private profiles: their profile picture and
name is publicly searchable, but the data shared is private. The
participants share their data with 409 friends on average. This number
is slightly higher than the American average number of friends (318.5) in
the target group 18-34 year olds (PEW, 2012).
Looking at the third party apps that the high school students had
installed at the time of the study (Spring 2012), the average number of
apps was 60 (lowest 3 and highest 251). This means that the students
had agreed to share personal information to the app in question (e.g.
friends, wall posts, basic information, email address) and allowed the app
to take actions on their behalf (e.g. access data anytime or post in the
newsfeed on their behalf). The apps counted were only those currently

Bechmann - Non-informed Consent Cultures

27

Downloaded by [New York University] at 09:33 23 April 2015

active (i.e. the statistics do not account for apps the user had deleted
prior to the study).
When we asked if they had read the extended permissions that they
gave to the app all but one answered no. This despite the fact that
Facebook follow the cookie law tracking practice of showing these
permissions in a pop up window with a clear bullet list and if the
permissions include access to e.g. newsfeed or inbox there will be several
pop-up windows with extended permissions. The student that had read
the permissions only had a few apps because the student deleted them
when they were no longer in use, but why did the student agree to the
terms of use despite resistance?
I am deciding for myself what is most important to me: that I need to
accept this [an app permission] or that I want to use the app. And
then sometimes, if someone, for example on The Guardian, someone
has read an article and then if I want to read the article then I have to
accept them [the app permissions] and then the first five times, and
then I think, well whatever, then I do not want to read it. And then
finally, okay I accept
The high school student is describing a situation of strong
ambivalence towards the need to accept permissions that the student
finds highly inappropriate in order to be a part of the socialization that is
taking place in the group of friends. The study design furthermore
confirms the protective behavior in the fact that the student only has 3
apps.
If we return to the psychological studies this decision-making
behaviour can be explained as follows: Despite the student having
knowledge of the app EULAs that the other members of the group do not
have the student tends to lean towards the decision of the group. Even
though the student has a very cautious approach to app use (deleting
apps) the student is willing to take risks of disclosing data to be part of
the group socialization. However, it is not possible from the data to
conclude that the decision is made due to social loafing (Hastie &
Kameda, 2005), relying on other group members to have read the EULAs
thoroughly and consented on an informed basis before sharing with the
student in question. Rather the study indicates that the risks are
downplayed compared to the social meaning of the acceptance. We will
return to the risk assessment in the next section.
The Danish statistics (Danmarks Statistik, 2011) in the prior section
show that 31% have read privacy policies in the target group, but this
number is much higher than what the case study shows where none have
read them. This despite the fact that the case study is looking at
educated high school students. This may indicate that there can be
biases in question-based and especially survey-based studies where
there can be a need to picture oneself more informed than the case really
is. Despite our ability to investigate if the students have read the privacy

Downloaded by [New York University] at 09:33 23 April 2015

28

Journal of Media Business Studies

policy, the mixed method design of the case study was able to correlate
between app permission answers and number of apps installed at the
time of the study. Even though the case study is not representative, it
points to a very non-informed consent culture, as the students simply do
not read either the privacy policies or the app permissions given to
Facebook Apps.
The one student that actually did read the app permissions
furthermore added to the dilemma; if social media became an informed
consent culture the relationship between Facebook and the user would be
too unequal. In other words, the student needed to accept the conditions
in order to carry out a particular socialization with friends. Like group
decision-making theories suggest (e.g. Forsyth, 2006; Janis & Mann,
1977) the participants and their group of friends minimized the
importance of negative consequences.
Relational Reciprocity or Companies
Moving forward from the finding that they did not read either privacy
policies or app permissions on Facebook, we wanted to show them what
information we could retrieve when we acted as a third party company
(as applications do) in order to register their immediate reactions. We
retrieved their network of friends; newsfeed with the posts from their
friends; walls with for example posts, likes, and photos; all groups
(including secret ones); basic information: name, email and profile
pictures; geographical locations (if they had indicated any in the data
upload); and what kind of app the content was uploaded from. We knew
that they would not read the information if we just sent it out to them, so
we asked them both in speech and writing if they wanted to share this
information beforehand.
Most of the students were surprised how much and how detailed
information we (as an app) could retrieve; however, at the same time
they found it highly non-disturbing if companies retrieved data about
them. Confirming findings from existing studies (e.g. Raynes-Goldie,
2010; boyd & Marwick, 2011), they were mainly concerned with their
circles of friends. They preferred a reciprocal relationship on Facebook
along the line of this citation from one student: I can see all them that
can see me. That is very nice. Their primary concerns were: was the
identity intact to their different circle of friends and did the information
disclosure take place as data revelation to, for example, excluded friends.
These two citations from the students summarize this attitude:
If some company knows that about me, it really does not matter, really
[] but I would not want my friends to know, what I write to her
about [] but if a company knows [] what would they use that for?
Yes, because the things that is private to me, is perhaps, even if the
companies could use it, it does not matter for them to use it

Bechmann - Non-informed Consent Cultures

29

Downloaded by [New York University] at 09:33 23 April 2015

It is totally crazy how much they know about you, but on the other
hand, I am a bit ambivalent here, because who is really looking
through your entire profile?
Most of the students consider themselves as numbers to the
companies and not as individuals and this is why in their opinion they
are not concerned with data disclosure towards companies. They had
difficulties imagining potential risks other than economic theft and
photo-manipulation. Kerr et al. (1996) suggest that if the outcome is
difficult to imagine for the group they will conclude that it is less likely to
occur. It is difficult from the findings of this study to conclude if this
rationale is the case, but the study shows that the students had
difficulties in imagining real potential risks. To them data disclosure is a
part of the deal they have made with free social media services including
Facebook. This relationship was so natural for them that they did not
question it even though we ended up suggesting many potential threats.
Only a few thing struck them as potentially problematic when asked
directly by the interviewer: firstly, if they shared account information
written in their inbox; secondly, if companies such as Facebook or third
party companies use personal data (such as photos of the person in
question) falsely to show behavior that they did not do (for example, if
Facebook showed an advertisement to their friends stating that the
student liked a brand that they had never demonstrated a preference
for); and thirdly, they found it inappropriate that Apps were able to
identify friends and retrieve data posted by their friends through the
students app permission agreement.
However, this stands in contrast to the agreement they signed with
Facebook and third party apps, which stipulates that they are allowed to
redistribute data once it is published. Again if we see this as an act of
group decision-making it confirms how the students bolster (Janis &
Mann, 1977) choices by emphasizing positive aspects and downplaying
negative consequences in the quick decision-making process.
Blissfully Unaware?
The privacy paradox has been described by several studies (e.g. Barnes,
2006; boyd & Marwick, 2011; Nissenbaum, 2010, Stutzman, Gross &
Acquisti, 2012) as the fact that users want convenience above privacy,
but do care about privacy if they are asked about it. In other words, I
would identify the relationship as a matter of hands (behavioral
patterns) and head (intellectual reflection). However, returning to the
psychological framework an important understudied question arises: Do
users actually want to know where their data is shared because this
information would potentially affect their group behavior significantly?
The dual relationship between the head and the hand has led some
researchers to suggest transparency; instead of working with a general
understanding and definition of privacy we need to work (legally) with a
case of contextual privacy (Nissenbaum, 2010). Transparency suggests

Downloaded by [New York University] at 09:33 23 April 2015

30

Journal of Media Business Studies

that we always are able to see and know where our information is used
and what it is used for, and contextual privacy ensures that data cannot
be used outside the context in which it was provided. However, both
concepts raise new challenges: in the city of Facebook, we experience an
ever increasing data complexity and infrastructure that means
accounting for transparency would lead to intransparency. As noted in
the theoretical framework this has also been termed the transparency
paradox by Nissenbaum (2011). Furthermore, the complex, ubiquitous
and interwoven data infrastructure means that both from a technical and
especially usage perspective, it is difficult to determine when one context
ends and a new one begins. It is also fairly certain that the technical and
usage perspective on context will not be the same.
Forsyth (2006) among others (e.g. Baker, 2010) use the term social
information bias to describe that group members are inclined to base
their decisions on shared knowledge, not on more precise or better
knowledge that only few members of the group possess. In the case of
social media and Facebook this means that transparency regarding
information flows, according to the theory of shared information bias,
only will be effective if all group members share the information.
Otherwise the group will not even consider adjusting behavior
accordingly.
Building on Pew Research findings, Keller (2013) suggests that
teenagers increasingly adjust self-portraying and data sharing so it only
contains the public picture of them, thereby leaning more towards the
head than the hand and slightly delimiting the privacy paradoxical
relationship.
This is partly true in our case study on Facebook as well, but only
partially. The students consider the timeline as their public identity, but
place private content in inbox, chat, or private/secret groups (see
Bechmann forthcoming, 2014). The students were very good at reflecting
on privacy in the timeline feature, and we only succeeded in finding very
few content items with, for example, words with sexual associations
(mostly Face-rapes as data sharing on another persons behalf through
his/her login). They were very careful not to post anything private on the
timeline. Private meant things they would be embarrassed to share or
disclose now and in the future, as one student said: That, which you
think is private, may be disclosed somewhere sometime anyway. If they
had regrets about content they would simply delete it after considering if
this in fact was harmful. The classical (media) case of harmful scenario
for them was future job recruitment. In this case, most content was
acceptable because it would be a concern to them if the recruiter did not
find anything unusual.
However, the students did not consider privacy issues in other
features of Facebook such as inbox and secret groups. Confirming and
renewing Acquisti & Gross (2006) findings they simply did not know that
apps could retrieve data from these features. This again points to the

Downloaded by [New York University] at 09:33 23 April 2015

Bechmann - Non-informed Consent Cultures

31

service of Facebook as an interwoven and ubiquitous service that

facilitate many kinds of communicative needs. Most of the students
characterized Facebook as a more convenient communication service
than, for example, texting, emailing and calling. Not primarily as selfportraying through the timeline profile (Bechmann, 2014 forthcoming).
The case study shows that the students are not unaware of the
privacy issues concerned with data disclosure on the Facebook timeline,
but it shows unawareness of the data disclosure potentials from, for
example, third party apps. Do the students then want to know what
kinds of data companies retrieve from their Facebook accounts? The
interviews do not provide any clear yes to this question. Instead of
wanting to know exactly what has been retrieved, the students tend to be
more concerned with the questions: do I trust this app? What precise
instances of advertisements/sales are the data used for? What nature of
market value does the data have for the company that retrieves it? What
would be the potential outcome of data disclosure for me (as a collective
self)?
All the students found it interesting to know what kind of
information we could retrieve as a third party app because, as one
student said: it is my private life. One of them also articulated the
contextual issue of privacy in the interviews:
Its because, its taken out of context rightsome of my friends could
see this when I wrote it. I didnt care, because it was kind of obvious,
that it was for fun, but when it is suddenly taken out of context, now I
think it is kind of lame. And if someone doesnt know him or me it is
kind ofit is ridiculousI have not really considered that, and it can
be used. Im not sure. I dont know.
Still, the conflict between the hand and the head in the question of
privacy is highly relevant when it comes to the question of transparency
in the communicative features outside the Facebook timeline. The
students describe a very integrated usage pattern (Bechmann 2014
forthcoming), which means that if they had to act on the knowledge they
(and their in-groups) got, they would always need to be reflective. They
need to regard these other features as private in order to maintain the
function. This also goes for the search function (that Facebook has
implemented after the empirical study was finalized): the thing with
search on Google, I mean you can easily search for some very awkward
things sometimesthat is really private. Hereby the student indicates
that different functions can belong to either the individual, relational,
collective self or more than one. As suggested by Sedikides, Gaertner, &
OMara (2011, p. 99) the self-definition shifts according to the social
context and none of the three selves are primary. This again calls for a
more complex regulatory interpretation of informed consent.

32

Journal of Media Business Studies

Downloaded by [New York University] at 09:33 23 April 2015

Legal Interpretations of Informed Consent

The findings from the case study show that there is very little informed
consent in practice on Facebook for the 15 high school students in
question. Informed consent is a legal term that is used widely in the
regulation of internet behavior and practice, especially on social media
and dominant data hubs on the internet such as the big four: Apple,
Facebook, Google, and Amazon. These companies are very concerned
about regulation and the EULAs and permissions are agreements that
the companies make with the user in this respect. From the companies
point of view, this is a way to secure any current and future use of the
data that is collected through the services and also to ensure that data
can be mined and correlated across services in the company service
portfolio. Google, for example, introduced a new shared privacy policy for
all their extensive services in March 2012 in order to secure this data
interoperability. These practices add to the potential for, and character
of, the ubiquitous internet as it takes place on the data level.
Legally, the companies can circumvent personal data handling
regulation if they have the users informed consent, but what does this
important legal notion really mean? What does informed mean and what
does consent mean?
Consent is related to the concepts of control and self-determination.
The autonomy of the data subject is both a pre-condition and a
consequence of consent, which gives the data subject influence over the
processing of data. It is a problem when some controllers want to use the
data subjects consent as a means of transferring his/her liability to the
individual. The notion of control is also linked to the fact that the data
subject should be able to withdraw his or her consent (WP 187, p. 9).
The definition on consent has to be found in the data protection
directive from 1995 (95/46/EC). The data protection directive is
implemented in all 28 EU member states. Consent is any freely given
specific and informed indication of the data subjects wishes by which the
data subject signifies his or her agreement to personal data relating to
him/her being processed, art. 2(h).
The requirement that the consent must be freely given means that
the consent can only be valid if the data subject is able to exercise a real
choice, and there is no risk of deception, intimidation coercion or
significant negative consequences if he or she does not consent. If the
consequences of consenting undermine individuals freedom of choice,
consent would not be free (WP 187, s. 12).
A specific consent is intelligible, and should therefore refer clearly
and precisely to the scope and the consequences of the data processing.
Consent cannot apply to an open-ended set of processing activities (WP
187, s. 17).
The notion informed means in practice that consent by a data
subject must be based upon an appreciation and understanding of the
facts and implications of an action (WP 187, s. 19).

Downloaded by [New York University] at 09:33 23 April 2015

Bechmann - Non-informed Consent Cultures

33

The new data protection legislation that is being prepared by the EU

tries to modify the definition and role of consent. The proposal changes
the definition of consent so that every consent must be explicit
(com(2012)11, art. 4(8)). It is underlined in the preamble to the proposal
(recital 33) that in order to ensure free consent, it should be clarified that
consent does not provide a valid legal ground where the individual has no
genuine and free choice and is subsequently not able to refuse or
withdraw consent without detriment. It is further underlined in art. 7(4)
and the preamble (recital 34) that consent should not provide a valid
legal ground for the processing of personal data where there is a
significant (clear in the preamble) imbalance between the data subject
and the controller, and that this is the case where the data subject is in a
situation of dependence from the data controller. The recital refers to
situations where the controller is an employer or a public authority, but
it is obvious that the provision can be relevant in relation to the consent
given to social media like Facebook.
The proposal has been followed by a draft report from Jan Philipp
Albrecht (mail rapporteur for regulation in the EU Parliament). In this
draft report, the role of consent increased. The consent must be specific,
informed and explicit. The use of default options that the data subject is
required to modify to object to the processing, such as pre-ticked boxes,
does not express free consent (amendment 17 and 19). The draft report
takes that provision from the proposal about processing in situations
with imbalance between the controller and the data subject a step
further. There is also a clear imbalance in situations where the controller
or the processor is in a dominant market position with respect to the
products or services offered to the data subject, or where a unilateral and
nonessential change in terms of services gives a data subject no option
other than to accept the change or abandon online resources in which
they have invested significant time (amendment 20).
The draft report has been followed by a leaked document from the
Irish Presidency. In this document the role of consent is much more
retired. The definition has changed so that consent must only be freely
given, specific and informed and not explicit as in the proposal to the
data protection regulation. In processing situations, consent must just
be unambiguous and the provision on imbalance between the controller
and the data subject is deleted.
Practices and Legal Interpretations Collide?
As the findings from the case study show, the existing legal
interpretation of informed consent above and the practices of the high
school students collide. In a legal sense, one could argue that informed
consent does not take place thereby creating a non-informed consent
culture.
Firstly, drawing on the findings one could suggest that Facebook has
become so large and dominant a social platform (especially in Denmark)
that people have to be on Facebook in order to participate in social life.

Downloaded by [New York University] at 09:33 23 April 2015

34

Journal of Media Business Studies

They cannot turn down privacy policies or app permissions and they
cannot customize the setting in order to take into consideration their own
privacy limits and data disclosure attitudes. In other words, are you left
out of social life if you do not have a profile on Facebook? Legal practices
especially have focused on younger people and children from the age of
13 and up, which includes the target group that is investigated in this
article. Secondly, adding to the fact that the students did not read the
agreements they made with Facebook, often the terms and conditions
change without any real possibilities for the data subject to renew his or
her consent. The conditions are in other words forced on the users of the
social media services. Finally, supporting Soloves (2013) general
discussion on informed consent the findings show that the students are
insecure or directly unaware of the scope and consequences of data
processing. The data infrastructure is too complex and ubiquitous for
them to fully comprehend. Specifically, in terms of the connections
between the data shared in one context and the uses in other potential
contexts. Users without any technical knowledge (even with technical
knowledge) are not able to see through the data processing in social
media.
The existing EU regulation does not take into consideration the
social values and dependency, present in the irrational and potentially
risky data disclosure decision-making process. The students want to be a
part of the social network and the social interaction taking place here
and that is why they have to disclose information as a gift in return for
the Facebook service. Looking at the new proposal for a General Data
Protection Regulation the explicit consent (e.g. discouraging pre-ticked
boxes) and uneven power relationship in informed consent is addressed.
However, it will likely fall in the final version and, building on the
practice from the cookie law directive, the question that remains
unanswered is: how can this be acted out when unread click-wrap
agreements are part of internet culture?
The article has suggested that the decision-making process of either
accepting or declining EULAs and permissions happens as relational and
collective selves following group dynamics that are not reflected in the
legal definition of informed consent neither in existing regulation nor in
proposed changes. However, unwanted social decision-making dynamics
such as groupthink, social loafing, and shared information bias may be
incorporated in the definition and demands for consent in the active use
of for instance social referral. Using the personal network of friends for
privacy information and settings instead of (hiding) and isolating them
would maybe reduce the shared information bias.

CONCLUSION
The qualitative case study has shown that informed consent is not taking
place among the 15 Danish high school students. Neither in a practical

Downloaded by [New York University] at 09:33 23 April 2015

Bechmann - Non-informed Consent Cultures

35

sense nor in a legal sense when we consider the actual usage patterns.
Instead the findings indicate a non-informed consent culture. The
possible neglect of explicit consent (including discouraging pre-ticked
boxes) and power imbalance between the user and the service provider in
the regulative change process is a step in the wrong direction compared
to the findings in this article as well as existing social science studies.
The students do not consider Facebook timeline information as
private and they only post things they are not embarrassed about.
However, they have a hard time fully comprehending the actual future
instances of the data use and are unaware of the ability to draw data
from the private features in Facebook such as newsfeed, inbox and secret
groups. The findings correspond with and extend conclusions in existing
studies (e.g. Acquisti & Gross, 2006; boyd & Hargittai, 2010; boyd &
Marwick, 2011). These studies also show a reflective approach to privacy
and that users adjust behavior through customized strategies, albeit
different from the ones that are identified in this article. The findings in
this article highlight privacy and informed consent as both an individual
and social process subject to group dynamics.
Neither the existing or proposed future legislation try to absorb and
take into account these social dynamics in the definition of and
requirements for informed consent. There is a long way from the idea of
informed consent as an isolated agreement that has been accepted once
or is being accepted on a regular basis to the practice of skipping
information in order to get to the service, relying on consensus among
group members, or to simple engage in a gift economy where the
Facebook individual has to deliver data in return for socialization. The
idea of informed consent in the existing and future proposal simply
neglects to offer a solution on this problem.
Compared to informed consent given in offline settings or in for
instance online banking or client-based software installations the social
referral aspect and thereby group decision-making dynamics play a
paramount role in the social media setting. In order for users to receive
requests from apps or an invite to join social media networks they know
that their trusted friends have already accepted the EULAs. Facebook
Connect and other social media authentication solutions are increasingly
being incorporated in other services. This highlights the need for
updating the current legislation by integrating group decision-making
dynamics to a much larger extent.
Returning to the starting point of the article Solove (2013) suggests
that we need to consider the social values instead of merely the
individual choice in the informed consent and privacy self-management
discussion. This article proposes that we not only have to acknowledge
the social values that motivates informed consent, but the social
dynamics that control the decision-making process. In doing so we have
to remember that it is neither an individual nor a collective process, but
both, depending on the context in which consent is given.

36

Journal of Media Business Studies

ACKNOWLEDGEMENTS

Downloaded by [New York University] at 09:33 23 April 2015

A special thanks to privacy specialist lawyer Charlotte Bagger Tranberg

(former associate professor at Aalborg University in Denmark) for
guidance in the legal definition of informed consent procedures and the
general legal practices on privacy regulation procedures in EU. And a
special thanks to lead-programmer Peter Vahlstrup and research
assistant Helle Breth Klausen from the Digital Footprints Research
Group for programming the software Digital Footprints used for the data
retrieval and help conducting interviews and thanks to William Frost for
proofreading. The research project has received funding from Digital
Humanities Lab, Netlab & AU Arts.

REFERENCES
Acquisti, A. & Grossklags, J. 2012. An Online Survey Experiment on Ambiguity and
Privacy, Digiworld Economic Journal, 88(4): 19-39.
Acquisti, A. & Gross, 2006. Imagined communities: Awareness, information sharing, and
privacy on Facebook, Privacy enhancing technologies workshop (PET), accessed 3
November 2013: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-gross-facebookprivacy-PET-final.pdf
Baker, D.F. 2010. Enhancing group decision making: An exercise to reduce shared
information bias. Journal of Management Education, 34:249-279.
Barnes, S. 2006. A privacy paradox: Social networking in the United States, First Monday,
11(9), 4 September.
Bechmann, A. forthcoming (2014). Managing the interoperable self, (eds. Bechmann, A. &
Lomborg, S.) The Ubiquitous Internet, New York: Routledge.
Bechmann, A. 2013. Internet Profiling: The economy of data intraoperability on Facebook
and Google, Mediekultur: Journal of Media and Communication Research, 29(55).
Bodle, R. 2011. Regimes of sharing, Information, Communication & Society, 14(3): 320-337.
boyd, D. & Hargittai, E. 2010. Facebook privacy settings: Who cares?, First Monday, Vol.
15, No. 8.
boyd, d. and Marwick, A. 2011. Social Privacy in Networked Publics: Teens Attitudes,
Practices, and Strategies. In Proceedings of A Decade in Internet Time, 21 - 24
September 2011, University of Oxford.
Danmarks Statistik (2011) Befolkningens brug af internet 2010, Danmarks Statistik,
Copenhagen.
Ess, C. & Bechmann, A. 2013. Mobile media and communication research: At the intersections between methods and ethics, panel at Nordmedia 2013, Oslo University,
August 9.
Forsyth, D.R. 2006. Group Dynamics, Belmont, CA: Wadsworth, Cengage Learning.

Bechmann - Non-informed Consent Cultures

37

Haslam, S.A. 2004. Psychology in organizations. The social identity approach, Thousand
Oaks, CA: Sage.
Hastie, R. & Kameda, T. 2005. The robust beauty of majority rules in group decisions,
Psychological Review, 112:494-508.
Janis, I.L. 1982. Groupthink: Psychological studies of policy decisions and fiascos, Boston:
Houghton Mifflin.
Janis, I.L. & Mann L. 1977. Decision making: A psychological analysis of conflict, choice,
and commitment. New York: Free Press.

Downloaded by [New York University] at 09:33 23 April 2015

Jorstad, E. 2001. The Privacy Paradox, Wm. Mitchell Law Review, 27:1503-1526.
Keller, J. 2013. Teenagers care more about online privacy than you think, Salon, May 23,
retrieved July 5, 2013.
Kerr, N.L., MacCoun, R.J., & Kramer, G.P. 1996. Bias in Judgment: Comparing individuals
and groups, Psychological Review, 103:687-719.
Kvale, S. 1996. Interviews: An Introduction to Qualitative Research Interviewing,
Thousand Oaks: Routledge.
Lamm, H. & Myers, D.G. 1978. Group-induced polarization of attitudes and behavior,
Advances in Experimental Social Psychology, 11:145-195.
Mansell, R. 2004. Political Economy, Power and New Media, New Media Society, 6(1); 96105.
Neuhaus, F. & Webmoor, T. 2012. Agile Ethics for Massified Research and Visualization,
Information, Communication & Society. 15(1): 43-65.
Nissenbaum, H. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social
Life. Stanford, CA: Stanford Law Books.
Nissenbaum, H. 2011. A Contextual Approach to Privacy Online, Ddalus, 4:32-48.
Pew Internet Research (2012) Facebook: A Profile of its friends, Pew Internet Research
Tumblr, May 16: http://pewinternet.tumblr.com/post/23177613721/facebook-a-profileof-its-friends-in-light-of
Raynes-Goldie, K. 2010. Aliases, creeping, and wall cleaning: Understanding privacy in the
age of Facebook, First Monday, 15 (1).
Sanders, G.S. & Baron, R.S. 1977. Is social comparison irrelevant for producing choice
shifts? Journal of Experimental Social Psychology, 13:303-314.
Sedikides, C., Gaertner, L. & OMara, E.M. 2011. Individual self, relational self, collective
self: Hierarchical ordering of the tripartite self, Psychological Studies, 56(1): 98-107.
Solove, D.J. 2013. Introduction: Privacy Self-Management and the Consent Dilemma,
Harvard Law Review, 126: 1880-1903.
Stutzman, Gross & Acquisti (2012), Silent Listeners: The evolution of Privacy and
Disclosure on Facebook, Journal of Privacy and Confidentiality, 4(2), p 7-41.

38

Journal of Media Business Studies

Wasko, J., Murdock, G. & Sousa, H. 2011. Introduction: The political economy of
communications: Core concerns and issues, The Handbook of Political Economy and
Communications, West Sussex, Blackwell: 1-10.

Legal & Regulative References

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of
24 October 1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data

Downloaded by [New York University] at 09:33 23 April 2015

Article 29 Working Party: Opinion 15/2011 on the definition of consent (WP 187), adopted
on 13 July 2011
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387e
n.pdf
http://register.consilium.europa.eu/pdf/en/13/st10/st10227-ad01.en13.pdf