Manufactured Consent

The architecture of manufactured consent to digital surveillance

Platform companies have constructed a consent regime in which meaningful refusal is functionally impossible. Across every major digital service — search, social connection, employment, education, healthcare, commerce, and civic life — a handful of corporations have captured the infrastructure of daily existence and conditioned access on acceptance of surveillance. The resulting "consent" operates through interlocking mechanisms: monopoly power that eliminates alternatives, unreadable legal instruments that manufacture the fiction of agreement, interface designs that manipulate choice, economic structures that coerce participation, and a legal framework that treats platform use as voluntary waiver of constitutional protections. This architecture does not merely enable surveillance — it produces the appearance of consent to it.

What follows is a forensic inventory of each mechanism, grounded in specific data, named scholars, legal citations, and empirical research.


Five companies control the infrastructure of modern life

The scale of platform monopoly is the precondition for everything else. Google commands 89–90% of global search (StatCounter, 2025), with its mobile search share at 94.6%. Android holds 72% of the global mobile OS market; combined with Apple's iOS at 28%, two companies control over 99% of all mobile computing. Meta's family of apps — Facebook, Instagram, WhatsApp, Messenger — serves 3.98 billion monthly active users and captures 60.1% of global social media advertising spend. Amazon controls roughly 40% of US e-commerce (its nearest competitor, Walmart, holds 6.4%) and 30% of global cloud infrastructure through AWS. Microsoft holds 71% of the desktop OS market and dominates enterprise productivity through Office 365, Teams, and LinkedIn's 950 million members. Together, AWS, Azure, and Google Cloud control 63% of the $99-billion-per-quarter cloud infrastructure market.

These are not merely large companies — they are the substrate. Job searching flows through LinkedIn, where 52 million people search weekly and 8 people are hired per minute. Education runs on Google Classroom (150 million students and educators, 230 countries) and Chromebooks (93% of US school districts planned to purchase them in 2025). Commerce is increasingly cashless: 86.9% of US point-of-sale transactions are digital, and 13.4% of Americans have stopped using cash entirely. Political communication, community organization, event planning, and civic participation migrate to surveilled platforms by default. As Shoshana Zuboff wrote in her 2022 paper in Organization Theory, surveillance capitalism now "intermediates nearly all human engagement with digital architectures" and creates conditions of "practical and psychological 'no exit.'"

The scholarly framework for understanding this concentration is well-developed. Lina Khan's 2017 Yale Law Journal article "Amazon's Antitrust Paradox" argued that modern antitrust law's fixation on consumer prices allows monopolies to consolidate unchecked. Tim Wu's The Curse of Bigness (2018) calls for structural antitrust enforcement. Nick Srnicek's Platform Capitalism (2016) defines platforms as intermediary infrastructures thriving on network effects and cross-subsidization — noting that even ostensible competitors like Airbnb, Slack, and Uber run on AWS. Yanis Varoufakis's Technofeudalism (2023) argues that tech companies control digital markets like feudal lords controlled land, extracting rents rather than competing. Julie Cohen's Between Truth and Power (2019) examines how legal frameworks enable informational capitalism, while Frank Pasquale's The Black Box Society (2015) charts the opacity of algorithmic control. The Google antitrust trial confirmed the structure empirically: on August 5, 2024, Judge Amit Mehta ruled Google had violated Section 2 of the Sherman Act, maintaining an illegal monopoly through exclusive dealing agreements.


Terms of service as the legal fiction of informed agreement

The instrument through which platforms extract "consent" is the Terms of Service agreement — a document almost no one reads, almost no one can understand, and no one can negotiate.

The numbers are stark. Microsoft's ToS runs 15,260 words (63 minutes to read). Apple's iTunes terms exceed 20,000 words. Facebook's combined policies span over 15,000 words requiring a college-senior reading level. The average social media ToS fills 13.5 single-spaced pages at 6,141 words. A Flesch-Kincaid analysis of 500 software license agreements found a median score requiring 15 years of schooling — a college junior — while the average American reads at a 7th-to-8th-grade level. Only 3 of 500 agreements scored at the recommended 8th-grade threshold. Aleecia McDonald and Lorrie Cranor's landmark 2008 Carnegie Mellon study, "The Cost of Reading Privacy Policies" (I/S: A Journal of Law and Policy for the Information Society), estimated that reading every privacy policy an average American encounters would require 76 full work days per year — a national opportunity cost of 53.8 billion hours, exceeding the GDP of Florida. By 2019, average policy length had grown 58% to 3,964 words.

The evidence that no one reads these documents is overwhelming. A Deloitte 2017 survey found 91% of US consumers agree without reading; for ages 18–34, the figure reaches 97%. Pew Research Center (2019) found only 9% of adults always read privacy policies, while 36% never do. Jonathan Obar and Anne Oeldorf-Hirsch's experimental study, "The Biggest Lie on the Internet" (Information, Communication & Society, 2018), found 74% of participants skipped a privacy policy entirely; those who did open it spent an average of 73 seconds on a document requiring 29–32 minutes to read. 98% missed clauses about sharing data with the NSA and providing a firstborn child as payment. A 2022 follow-up with adults over 50 found 83.4% agreed to terms requiring "a kidney or other redundant organ."

Margaret Jane Radin's Boilerplate: The Fine Print, Vanishing Rights, and the Rule of Law (2013) provides the definitive legal analysis. Radin identifies two forms of degradation: "normative degradation" — the inability to address the absence of meaningful consent — and "democratic degradation" — mass-market rights-deletion schemes that undermine the rule of law. She proposes a new tort of "intentional deprivation of basic legal rights." The legal structure is that of a contract of adhesion: drafted unilaterally by the dominant party, offered on take-it-or-leave-it terms, with refusal meaning exclusion from the service entirely. Courts have wrestled with this: in Specht v. Netscape (2nd Cir., 2002), the court held that terms hidden below the fold did not constitute consent. In In re Zappos.com (2012), a unilateral amendment clause rendered the entire ToS unenforceable. Clickwrap agreements succeed in court roughly 70% of the time; browsewrap agreements only 14%. Yet platforms routinely change terms unilaterally — the EFF's ToSBack.org project has documented nearly 1,600 changes across 160+ platforms.


Dark patterns engineer the appearance of choice

When consent mechanisms do appear, they are designed to produce a predetermined outcome. The term "dark patterns" was coined by Harry Brignull, a UK cognitive scientist, on July 28, 2010, with the registration of darkpatterns.org. His taxonomy includes "Privacy Zuckering" (tricking users into sharing more data than intended), "Roach Motel" (easy to enter, difficult to leave), and "Confirmshaming" (framing refusal in derogatory terms). Arvind Narayanan and colleagues at Princeton crawled 11,000 shopping websites in 2019, identifying 1,818 dark pattern instances across 15 types, including 22 third-party entities selling dark patterns as turnkey solutions.

Cookie consent banners are the clearest laboratory for manufactured consent. Nouwens et al. (CHI 2020) scraped the top 10,000 UK websites and found only 11.8% of consent management platforms met minimal GDPR requirements. Removing the reject button from the first page increased consent by 22–23 percentage points. Providing granular controls decreased it by 8–20 points. A French experiment with 4,000 participants found that banners with no decline option pushed rejection rates down to 4%, while banners with an equally visible reject button raised rejection to 34% — closely matching participants' actual stated privacy preferences. A German study of 100 top websites found 77% used manipulative design; only 4% offered a "Reject All" button on equal footing with "Accept All." The European Commission found in 2022 that 97% of popular EU websites deployed at least one dark pattern. QuantCast's consent management platform reported over 90% consent rates across a billion users — a number that reflects design manipulation, not informed choice.

The Norwegian Consumer Council's 2018 report "Deceived by Design" documented how Facebook, Google, and Microsoft used privacy-intrusive defaults, threatening users with loss of functionality if they chose privacy-protective settings. A 2021 follow-up, "You Can Log Out But You Can Never Leave," detailed Amazon Prime's 12-step cancellation process — internally nicknamed the "Iliad Flow" — designed to obstruct departure. The FTC's subsequent case against Amazon resulted in a $2.5 billion settlement in September 2025, including the largest civil penalty in FTC history ($1 billion). Meta's 2024 attempt to use user data for AI training required an opt-out process involving misleading emails, hidden forms, and mandatory justification — the architecture of consent theater.

Shoshana Zuboff's The Age of Surveillance Capitalism (2019) provides the theoretical framework. She defines surveillance capitalism as "the unilateral claiming of private human experience as free raw material for translation into behavioral data." The key concept is behavioral surplus — data collected beyond what is needed for service improvement, processed into "prediction products" and traded in "behavioral futures markets." The goal evolves from prediction to actuation: "economies of action" that "tune, herd, and condition our behavior with subtle and subliminal cues, rewards, and punishments." Fassl, Gröber, and Krombholz coined the term "consent theater" at CHI 2021, arguing that consent management platforms exist to "optimize users' consent rates for profit" while creating the appearance of compliance — and that sites often ignore users' opt-out decisions entirely.


Economic necessity transforms consent into coercion

The "choice" to accept surveillance is conditioned by economic survival. In the gig economy, approximately 68 million US workers freelance, projected to reach 90.1 million by 2028. Globally, the World Bank estimates 435 million gig workers. Platforms like Uber, DoorDash, and Instacart collect GPS location, movement patterns, delivery speeds, behavioral data, and communication records — what Gemma Newlands terms "device-telematics" for continuous workplace surveillance (Organization Studies, 2021). The Dutch Privacy Authority has recognized that "it is impossible to give free consent where there is a financial dependency."

Employers increasingly require digital visibility as a condition of employment. Studies show 70–73% of employers screen candidates' social media, 92% of employers and 90% of recruiters use social media in hiring, and 47% of employers say they are less likely to interview candidates they cannot find online. One in five hiring managers won't consider a candidate without a social media presence. This means opting out of surveilled platforms carries a direct economic penalty: invisibility to employers.

The migration to cashless transactions deepens the surveillance architecture of commerce itself. Every digital payment generates a record — amount, time, location, counterparty, spending patterns. With 86.9% of US transactions now cashless and 41% of Americans making no weekly cash purchases, financial privacy is becoming structurally impossible. The class dimension is explicit: 63% of people earning under $20,000 prefer cash; 83% of those earning $90,000–$100,000 transact digitally. Privacy follows wealth.

Virginia Eubanks's Automating Inequality (2018) demonstrates that "the most invasive and punitive systems are aimed at the poor." She documented Indiana's automated benefits system rejecting over one million welfare applications in three years, Los Angeles's homeless services database accessible by police without warrants, and Pittsburgh's predictive child welfare algorithm. Eubanks coined the "digital poorhouse" — the digital expansion of punitive poverty management dating to the 1820s. The privileged can purchase privacy through paid alternatives, VPNs, and encrypted services. The poor face the most surveillance while having the least capacity to refuse it.


Children are surveilled before they can consent

Children represent perhaps the starkest case of manufactured consent, because they are not even the ones "consenting." Human Rights Watch's May 2022 investigation analyzed 164 EdTech products endorsed by 49 governments and found 89% surveilled or had the capacity to surveil children outside school hours. These products sent children's data to 196 third-party advertising technology companies. Most monitoring happened secretly, without children's or parents' knowledge. Data harvested included identities, locations, classroom activities, family relationships, and device economic indicators.

Google Workspace for Education serves over 150 million students globally. Chromebooks constitute 60.1% of the global education device market. The New Mexico Attorney General's lawsuit revealed that Google had Chrome Sync turned on by default in education Chromebooks, automatically uploading browsing histories, search terms, and contact lists — with the setting to disable it buried where parents would never find it. EdTech adoption in K-12 has increased 99% since 2020, with schools now accessing an average of 1,400 EdTech tools monthly — triple the pre-pandemic figure.

COPPA requires parental consent for data collection from children under 13, but the framework is riddled with structural failures. The FTC has allowed schools to consent in lieu of parents for "educational purposes," effectively delegating surveillance authorization to institutions with no capacity or incentive to scrutinize terms. FERPA, the main federal student privacy law, has no private right of action — individuals cannot sue — and its ultimate penalty of withdrawing federal funding has never been imposed in the law's history. Enforcement is largely performative: from January 2023 to January 2025, the FTC published only six COPPA enforcement actions. The largest penalty — $275 million against Epic Games (Fortnite) in 2022 for collecting data from 400 million players without parental consent — represents a fraction of the company's revenue.

Veronica Barassi's Child Data Citizen (MIT Press) documents how children are "datafied even before birth" through pregnancy apps and parental social media, then tracked through smart devices, learning apps, and school platforms into profiles that follow them for life. Over 75% of parents post information about their children online; 80% use children's real names. Priya Kumar at Penn State and Giovanna Mascheroni at Università Cattolica have developed the concept of the "datafication of childhood" — children transformed into quantified data subjects before they develop the capacity to understand, let alone consent to, what has been done.


The legal framework converts platform use into constitutional waiver

The third-party doctrine creates a legal architecture in which using a digital platform constitutes "consenting" to government access to your data. In United States v. Miller (425 U.S. 435, 1976), the Supreme Court held that bank records shared with a third party lose Fourth Amendment protection: "The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government." Smith v. Maryland (442 U.S. 735, 1979) extended this to telephone numbers dialed, establishing that information "voluntarily conveyed" to a service provider carries no reasonable expectation of privacy. Justice Marshall's dissent was prescient: "Unless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance... It is idle to speak of 'assuming' risks in contexts where, as a practical matter, individuals have no realistic alternative."

Carpenter v. United States (585 U.S. 296, 2018) partially limited the doctrine. Chief Justice Roberts, writing for a 5–4 majority, held that historical cell-site location information constitutes a Fourth Amendment search requiring a warrant. Roberts recognized that cell phones are "such a pervasive and insistent part of daily life that carrying one is indispensable to participation in modern society" and that CSLI reveals "familial, political, professional, religious, and sexual associations." But Carpenter explicitly declined to overrule Smith or Miller, calling its own holding "narrow."

The post-Carpenter landscape remains unstable. In United States v. Smith (5th Cir., 2024), the Fifth Circuit declared geofence warrants "categorically" unconstitutional, noting that Google must search "its entire Sensorvault — all 592 million individual accounts" to execute one. But in United States v. Chatrie (4th Cir., 2024), the Fourth Circuit reached the opposite conclusion, holding that Google Location History involves a "voluntary" opt-in. The Supreme Court has granted certiorari in Chatrie — potentially the next landmark digital privacy case.

Section 702 of FISA enables warrantless surveillance of communications held by platforms. The 2024 reauthorization (RISAA) expanded the definition of "electronic communications service provider" — Senator Ron Wyden called it "one of the most dramatic and terrifying expansions of government surveillance authority in history." A House amendment requiring warrants for queries involving Americans' data failed by a tied 212–212 vote. Section 702 sunsets in April 2026.

Steven Bellovin and colleagues argued in the Harvard Journal of Law & Technology (2016) that "in an IP-based communications environment, the concept of voluntary conveyance... is, at best, a legal fiction." Orin Kerr's 2024 article "Terms of Service and Fourth Amendment Rights" (172 U. Pa. L. Rev. 287) directly examines how contractual click-through consent is conflated with constitutional consent — two frameworks with fundamentally different standards of voluntariness. Daniel Solove has called the doctrine "woefully inadequate." Justice Sotomayor, concurring in United States v. Jones (2012), urged reconsidering "the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties," calling it "ill-suited to the digital age." The RFRA implications remain largely undeveloped in case law, but Carpenter's explicit recognition that surveillance reveals "religious associations" and RISAA's enhanced oversight for queries targeting "religious organizations" constitute implicit acknowledgment that mass surveillance burdens religious exercise.


Opting out means exile

The evidence on what happens when people attempt to refuse surveillance confirms that the "choice" is no choice. With 4.9–5 billion social media users worldwide — 62% of humanity — opting out means withdrawing from the dominant infrastructure of communication. Facebook remains the primary platform for event organization in many communities; non-users miss invitations, community discussions, and local services. The Allcott et al. (2020) Facebook deactivation study — a large randomized controlled trial — found that deactivating for four weeks left participants less informed about current events and reporting reduced social activity. Ronald Deibert, Director of the Citizen Lab at the University of Toronto, describes this as "infrastructural imperialism": organizations offer social media as the readiest path to services, "excluding those who opt out while subtly but powerfully shaping the choices of those who opt in."

The economic penalty is quantifiable. 47% of employers are less likely to interview candidates they cannot find online. 21% won't consider them at all. Opting out of LinkedIn means absence from the platform where 52 million people search for jobs weekly. The concept of "privacy as luxury good" captures the class structure: free services are funded by surveillance; privacy-respecting alternatives require payment. Virginia Eubanks documented how thousands of unhoused people in Los Angeles must submit intimate data to databases accessible by 168 organizations, while housed citizens receiving mortgage tax deductions face no equivalent scrutiny. Apple markets privacy as a premium feature of expensive devices — making constitutional rights a function of consumer purchasing power.


The regulatory landscape remains fragmented and insufficient

The period 2024–2026 has produced significant regulatory activity without structural change. The EU AI Act (Regulation 2024/1689, effective August 1, 2024) bans social scoring and real-time biometric identification in public spaces, with penalties reaching €35 million or 7% of global turnover. The US has no equivalent federal legislation. The American Data Privacy and Protection Act stalled in 2022 and has not been reintroduced. Under the current administration, comprehensive federal privacy legislation appears unlikely. Twenty-plus states now have privacy laws, with Maryland's data-minimization requirements approaching GDPR standards. Texas secured a settlement exceeding $1 billion against a major tech company. But the patchwork creates compliance complexity without systemic change.

The FTC's enforcement capacity is constrained. Its Click-to-Cancel Rule, finalized October 2024, was vacated by the Eighth Circuit in July 2025. The commission lost two Democratic commissioners in March 2025. COPPA 2.0 and the Kids Online Safety Act both passed the Senate 91–3 in July 2024 but died in the House — then were reintroduced in weakened forms. The latest KOSA draft removed its core "duty of care" standard entirely. Section 702 of FISA expires in April 2026. Google's search monopoly ruling produced remedies prohibiting exclusive dealing but not requiring structural divestiture. The FTC's antitrust case against Meta was dismissed in November 2025.

Biden's comprehensive AI Executive Order (14110, October 2023) was rescinded within hours of the current administration's inauguration. Its replacement prioritizes "America's global AI dominance" over governance. The Colorado AI Act, effective 2026, is the first state law broadly regulating AI, but it represents an exception rather than a trend.


Conclusion: the geometric architecture of coerced choice

The consent architecture of digital surveillance operates through five interlocking mechanisms that together eliminate the conditions for voluntary agreement: monopoly removes alternatives, legal instruments manufacture the appearance of agreement, interface design engineers predetermined outcomes, economic structure makes refusal materially ruinous, and legal doctrine converts the resulting "choice" into constitutional waiver. Each mechanism reinforces the others. The monopoly ensures you need the platform. The ToS ensures you "agreed." The dark patterns ensure you clicked the right button. The economic structure ensures you couldn't have done otherwise. And the third-party doctrine ensures that your "voluntary" submission of data to a private company means the government can access it too.

Justice Marshall identified the core problem in 1979: it is idle to speak of assuming risks where individuals have no realistic alternative. Forty-seven years later, the alternative space has only contracted. The question is not whether individuals consent to surveillance. The question — the one that Zuboff, Radin, Eubanks, Khan, and the scholars of the datafied childhood have collectively illuminated — is whether the word "consent" retains any meaning at all within an architecture specifically designed to produce it.

RegenerativeLaw

Menu