A person browses a website for running shoes and sees ads for those exact shoes across dozens of unrelated sites for weeks afterward. They did not provide their email, create an account, or consciously share any information. A free app requests permission to access contacts, location, microphone, and storage for features that seem unrelated to those permissions. A smart TV monitors viewing habits and sells that information to advertisers and data brokers. A loyalty card program offers small discounts in exchange for complete purchase history that reveals health conditions, financial stress, and life changes. Someone reads a news article and triggers data collection by over 50 different companies through trackers embedded in the page. The scale, sophistication, and opacity of corporate data collection has expanded enormously while most people remain unaware of how extensively their information is gathered, combined, analyzed, and monetized. Whether this represents innovative business models enabling free services or surveillance capitalism extracting value from people without meaningful consent remains profoundly contested.
The Case for Understanding Data Collection as Exploitation
Critics argue that corporate data collection has become pervasive surveillance that people neither understand nor meaningfully consent to. From this view, companies employ dozens of collection mechanisms most users never see: first-party cookies tracking behavior on sites visited; third-party cookies following users across the web; device fingerprinting identifying people even when cookies are blocked; location tracking through GPS, WiFi, and cell towers; cross-device tracking linking phones, computers, and tablets to single identities; SDK data collection through code embedded in apps; pixel tracking in emails revealing when messages are opened and from where; ultrasonic beacons using inaudible sounds to connect devices and locations; purchase data from credit cards and loyalty programs; and public records combined with commercial data to build comprehensive profiles. This data feeds uses that serve corporate interests over user wellbeing: behavioral advertising targeting people based on inferred vulnerabilities; algorithmic pricing charging different prices based on willingness to pay; credit and insurance scoring affecting access to financial products; employment screening filtering candidates based on data they never knowingly provided; political targeting enabling manipulation of democratic discourse; and sale to data brokers who resell to anyone willing to pay. From this perspective, the problem is not just privacy invasion but power imbalance. Companies know everything about users while users know almost nothing about data practices. Information asymmetry enables exploitation. The solution requires: radical transparency about collection and use; meaningful consent for specific purposes rather than blanket authorization; data minimization limiting collection to what is necessary; prohibition of harmful uses regardless of consent; and shifting business models away from surveillance capitalism.
The Case for Data Collection Enabling Valuable Services
Others argue that data collection, while requiring better governance, enables services people value and would not exist otherwise. From this perspective, free access to search engines, social media, email, maps, and countless other services depends on advertising revenue that requires understanding users well enough to show relevant ads. The alternative is paywalls excluding those who cannot pay or inferior services that cannot be sustained economically. Moreover, data collection serves users directly: personalization that surfaces relevant content from overwhelming information abundance; recommendations helping discover products, music, and content matching preferences; fraud detection protecting against unauthorized transactions; security monitoring identifying compromised accounts; product improvement using aggregate patterns to fix problems and add features; and research enabling insights that benefit society. From this view, the problem is not collection but lack of transparency and control. People should understand what is collected and how it is used, have genuine choices about participation, and benefit from their data rather than solely being exploited by it. The solution involves: clear disclosure in understandable language; meaningful consent with real alternatives; user control over data use; fair value exchange where users receive adequate benefit for data provided; and enforcement against deceptive practices while allowing beneficial collection to continue.
The Invisibility Problem
Most data collection is invisible to those being tracked. Third-party scripts run in the background. Device fingerprinting requires no user interaction. Cross-device tracking operates without notification. From one view, this invisibility is inherently problematic. Consent requires awareness, and practices designed to operate without user knowledge cannot be consented to regardless of what privacy policies say. Collection mechanisms should be visible and understandable to those being tracked. From another view, visible collection would be impossibly cumbersome. Requiring explicit notification for every tracking pixel would make web browsing unusable. Background operation is necessary for services to function, and disclosure through privacy policies provides adequate transparency for those who care. Whether invisible collection can ever be legitimate or whether it is inherently incompatible with consent determines what practices are acceptable.
The Inference and Derived Data Problem
Companies increasingly derive sensitive information through analysis rather than direct collection. Purchase patterns reveal pregnancy. Browsing behavior suggests mental health conditions. Location data exposes religious practice, political activity, and personal relationships. App usage patterns indicate financial stress. From one perspective, inferred data is as sensitive as directly collected information and should receive equal or greater protection because people never consciously shared it. From another perspective, inferences are company-generated insights rather than personal data, and restricting what conclusions organizations can draw from information they legitimately have raises different concerns than restricting collection itself. Whether derived data belongs to subjects or creators determines what control people have over inferences made about them.
The First-Party Versus Third-Party Distinction
Data collection by services people directly use differs from collection by unseen third parties. Someone using a fitness app expects it to track workouts. They may not expect their data shared with dozens of advertising partners. From one view, first-party collection with clear purpose is legitimate while third-party collection without direct relationship is inherently problematic. From another view, the distinction is artificial because first parties share with third parties routinely, and whether the same data use is acceptable depends on who does it rather than what is done makes little sense. Whether regulatory frameworks should treat first and third-party collection differently or focus on uses regardless of collector determines what rules apply to different entities.
The Dark Patterns Problem
Companies employ design techniques that manipulate users into sharing more data than they would with neutral interfaces. Confusing privacy settings default to maximum sharing. Opt-out requires navigating multiple screens while opt-in requires single click. Warnings about reduced functionality discourage privacy-protective choices. Accept buttons are prominent while decline options are hidden. From one perspective, dark patterns represent deceptive practices that should be prohibited regardless of technical consent because they manipulate rather than inform choice. From another perspective, design always influences behavior and distinguishing manipulation from persuasion is subjective. Whether dark patterns can be defined clearly enough to regulate or whether any restriction on interface design raises concerns about regulatory overreach determines what design practices are acceptable.
The Purpose Limitation Challenge
Data collected for one purpose is routinely used for others. Contact information provided for account recovery becomes marketing target. Purchase history for transaction records becomes behavioral profiling. Location data for navigation becomes advertising targeting. From one view, purpose limitation should be strictly enforced: data collected for specific purposes should be usable only for those purposes, with new uses requiring new consent. From another view, rigid purpose limitation prevents beneficial secondary uses and creates administrative burden without meaningful privacy benefit when data already exists. Whether purpose limitation should be strict, requiring consent for each use, or flexible, allowing uses compatible with original collection, determines what companies can do with information they have.
The Business Model Dependency
Many digital services depend economically on data monetization. Advertising requires surveillance. Engagement optimization requires behavioral analysis. The business model itself creates incentives to collect everything possible. From one perspective, this means regulation cannot effectively address collection practices without changing underlying business models, which requires prohibiting surveillance advertising or establishing alternative funding mechanisms for digital services. From another perspective, business model change is beyond appropriate regulatory scope, and focusing on transparency and consent addresses problems without restructuring entire industries. Whether data practices can change meaningfully without business model change determines what regulation can accomplish.
The Question
If companies collect data through dozens of mechanisms most people never see, combine it with information from countless sources, derive sensitive inferences people never consciously shared, and use it for purposes that serve corporate interests over user wellbeing, can any consent framework legitimize these practices, or does the scale and opacity of modern data collection require prohibitions rather than permissions? When free services that people value depend on surveillance-based business models, does that justify current practices or reveal that the choice between privacy and services is false, constructed by those who profit from surveillance? And if most people lack awareness of how extensively their data is collected and used, whose responsibility is it to create that awareness: companies that benefit from obscurity, governments that could mandate transparency, or individuals who theoretically could inform themselves but practically cannot keep pace with evolving collection practices?