Consent as Fiction? The Social Reality of Data Protection in the Case of Facebook

Guiding Research Question

Consent is the most important legal basis to authorise the processing of personal data on the internet. According to Art 4 No 11 DS-GVO, consent means “any freely given, specific, informed and unambiguous indication” by which the data subject signifies agreement.

The present study examines whether Facebook users actually give their consent in a free, specific and informed way: it questions whether the data subjects genuinely and consciously waive their privacy and data protection entitlements.

From a methodological point of view, the analysis is about the subjective level of consent and a juxtaposition of legal doctrine and social reality. With reference to the legal scholar and sociologist Rehbinder, I am of the opinion that law, if it is to fulfil its regulatory purpose, cannot function without knowledge of the legal reality.[1]


Sampling and Demographics

The empirical basis of the analysis is an online survey of the web-active population in Austria. The data set consists of a screener for sounding out (n = 1,513) and the actual survey of the core target group of Facebook users (n = 1,019). The sample is representative of the characteristics of gender, age (14–70 years), education, state, and household size.

First, the survey gives an insight into the socio-demographic distribution of Facebook users: Around 67% of the web-active Austrian population is on Facebook. With 16%, the drop-out rate is highest among minors under 18 years of age, even though teenagers are more active on the platform, at 67%, compared to the 40+ generation, of which 60% have a user.

The sample also shows that 78% of respondents use WhatsApp and 42% are active on YouTube. Instagram is used by 23% of the population and especially by people under 30. Twitter and Snapchat are used by about 15%. Moreover, YouTube and Twitter show an overhang of male users.

Empirical Analysis of Consent

As a general starting question, I asked whether the users are aware that they have expressed a declaration of consent to Facebook.

Wording: “Have you declared your agreement that Facebook is allowed to collect and use your personal data?” Reply options: 1= „yes“, 2= „no“, 3= „I don’t know“ (n=1,019).

Only 37% of respondents know that they have agreed to their personal data being “collected” and “used”. Another 43% say they do not know and 20% think that they did not do so, which – at least from a legal standpoint – is actually not possible.

Thereafter, the specific legal elements of valid consent were analysed:


It turns out that 58% of the respondents say they are on Facebook because many people around them are on it too. 25% think that someone who is not on Facebook is excluded from many social events and activities. 18% say they have registered because others have asked them to. Only 15% of respondents say that they have experienced some form of social pressure in their environment (friends, school, work colleagues, relatives etc.) to register on Facebook. These especially tend to be younger users. 


Only 21% of the users claim to be informed about the specific purpose for which Facebook uses their data. Around 80% are of the opinion that they have no control over what happens to their data on the platform. Finally, just 45% of the respondents explicitly assume that Facebook uses their data lawfully. Older persons, and those who have registered because many around them are on Facebook too, are more likely to assume so.


To analyse how informed the respondents are, I showed them seven specific clauses out of Facebook’s terms of service. In a first step, the users were asked if they know that they have consented to the respective provision (informed and conscious consent). In a second step, users were asked if they would agree if they had the choice to use Facebook without the clause (hypothetical consent).

The following topics were touched upon:

  1. Consent to the use of name, profile picture and other personal information in connection with advertisements and commercial content, without any compensation (Social Ads).[2]
  2. Consent to the analysis of personal information and user data for studies and product development (Big Data Analytics).[3]
  3. Consent not to tag other users without their consent (Opt-out).[4]
  4. Consent to provide real name and information (Prohibition of pseudonyms)[5]
  5. Waiver of deletion of shared content (Rights of data subject).[6]
  6. Consent to having your personal data transferred to and processed in the United States (Privacy Shield).[7]
  7. Consent to the access to personal information and the disclosure of personal data to third parties to detect, prevent or prosecute illegal activities (NSA & Co).[8]


Conscious consent and hypothetical consent


Content of provision

Conscious consent

Have you consented?

Hypothetical consent

Would you consent?

  Yes No Idk No
i. Consent to be used for advertisement 9% 54% 37% 86%
ii. Consent to research and product development 11% 41% 48% 75%
iii. Consent not to tag without consent 24% 37% 39% 65%
iv. Consent to provide real name 50% 17% 33% 53%
v. Waiver of right to delete shared data 8% 36% 57% 84%
vi. Consent to data transfer in the US 8% 40% 52% 88%
vii. Consent to data disclosure for prosecution 11% 34% 55% 72%

In general, it can be said that the users are barely informed. In five of the seven clauses, knowledge of the given consent is about 10% or below. Exceptions are the topics “real name” and “tagging other users”. The deviations can be explained by the fact that these provisions affect the surfing behaviour of the users more directly. Nevertheless, only 1% of all respondents know about all clauses. Detailed correlation-analyses furthermore show that the many “no” answers represent a kind of protest or dissent by the respondents.

The results are similar in the case of hypothetical consent: The data show an average rejection of 75%. Only 3% of respondents would agree to all submitted clauses. The strongest rejection shows up regarding the clause with which Facebook obtains consent to transfer the personal data of users to the United States. The topics “real name” and “tagging” reveal different response patterns again.


Privacy Erosion by Law

The empirical analysis disproves the assumption that users are aware of and actually agree to everything that happens with their data. It turns out that the voluntary use is not the same as a freely given declaration of agreement. Participation on Facebook is not perceived as compulsion; rather it is a free option; the concerned people like to communicate and share; but to use the service does not mean to consent to all the contract clauses and every processing of personal data in terms of big data research and advertisement that takes place in the back office.

Nevertheless, the prevailing doctrine of contract law says that the act of registration on a social media platform (or another similar service) is a formally valid expression/declaration of will – regardless of whether the terms and conditions are read or understood. It is argued that companies must be able to trust in the commercial practice that clicking the button is a binding statement (protection of legitimate expectation).[9] As a result, it is assumed that consumers, who sign up for a free service with extensive terms and conditions, whose understanding is impossible for legal laymen, actually agree with the various clauses and data processing activities.

The terms and conditions invite for interpretation and thus protect companies, enabling them to take advantage of consumers in the digital mass business. This also means that we are dealing with a contractually underpinned erosion of privacy and that data protection law is not effective when it comes to protecting the concerned data subjects in such constellations.

Obtaining consent via standardised terms and data policies triggers data processing activities, which in fact is not desired by the users. The results of the empirical research show that, on a subjective level, there is no informed consent for the average consumer in the case of Facebook. Consent thus proves to be a dogmatic fiction.


[1] Vgl Rehbinder, M. Rechtssoziologie. Walter de Gruyter, Berlin; New York (1993) 2 ff (9).

[2] Cf “Terms of Service, 9. 1.”

[3] Cf. “Data Policy, How do we use this information?”

[4] Cf. “Terms of Service, 5. 9.”

[5] Cf. “Terms of Service, 4.”; see also “Community Standards, Keeping your account and personal information secure”

[6] Cf. “Terms of Service, 2. 1.”; see also “Data Policy, How can I manage or delete information about me?”

[7] Cf. “Terms of Service, 16. 1.”; see also “Data Policy, How our global services operate”

[8] Cf. “Data Policy, How do we respond to legal requests or prevent harm?”

[9] Cf. Koziol H./Welser R./Kletečka A. Grundriss des bürgerlichen Rechts, Allgemeiner Teil, Sachenrecht, Familienrecht, 14th ed., Manzsche Verlags- und Universitätsbuchhandlung, Wien (2014) 108 f (116); cf. Köhler H. BGB – Allgemeiner Teil, 41th ed., C.H. Beck Verlag, München (2017) 65. See also Radin M.J. Boilerplate: the fine print, vanishing rights and the rule of law. Princeton University Press. New Jersey; Oxfordshire (2013) 82 ff.

Robert Rothmann
Robert Rothmann is currently a Marietta Blau PhD Fellow at the Institute for Information, Health and Medical Law (IGMR) at the University of Bremen, Germany. The project is funded by the uni:docs programme of the University of Vienna, Austria. Substantial parts of the study were conducted at Westminster Institute for Advanced Studies (WIAS) in London, under the supervision of Professor Christian Fuchs.

Photo by Markus Spiske on Unsplash

More articles

More Articles