Exercises: Data Collection and Consent
These exercises progress from concept checks to challenging applications. Estimated completion time: 3-4 hours.
Difficulty Guide: - ⭐ Foundational (5-10 min each) - ⭐⭐ Intermediate (10-20 min each) - ⭐⭐⭐ Challenging (20-40 min each) - ⭐⭐⭐⭐ Advanced/Research (40+ min each)
Part A: Conceptual Understanding ⭐
Test your grasp of core concepts from Chapter 9.
A.1. Section 9.1 traces the concept of informed consent from medical ethics. In your own words, explain the three elements of valid informed consent as established by the Nuremberg Code and the Belmont Report: (a) disclosure, (b) comprehension, and (c) voluntariness. Why does the chapter argue that most digital consent processes fail all three?
A.2. Explain the "notice and consent" model of data privacy as described in Section 9.2. What assumption does this model rest on, and why does the chapter argue that this assumption has become untenable in the era of ubiquitous data collection?
A.3. Section 9.3 introduces the concept of "consent fatigue." In your own words, define consent fatigue and explain how the calculation that reading all privacy policies would require 76 working days per year illustrates the systemic nature of the problem. Is consent fatigue a failure of individual attention or a failure of the consent model itself?
A.4. Define "dark patterns" as discussed in Section 9.4. Identify and describe at least three types of dark patterns used to manufacture consent. For each, explain the specific mechanism by which user autonomy is undermined.
A.5. Section 9.5 distinguishes between "meaningful consent" and "theatrical consent." In your own words, explain this distinction. What makes consent "theatrical," and why does the chapter argue that most online consent processes fall into this category?
A.6. The chapter introduces the concept of the "consent fiction" (Section 9.5.2). Define this term and explain why the chapter uses the word "fiction." What is being maintained, and what would happen if the fiction were abandoned?
A.7. Section 9.6 presents three alternatives to the consent model: legitimate interest, contextual integrity, and information fiduciary duty. In two to three sentences each, explain how each alternative addresses a specific limitation of the consent model.
A.8. Section 9.7 discusses consent for children's data under COPPA and GDPR Article 8. Explain why children present a special challenge for the consent model and describe at least two specific protections that these laws provide.
Part B: Applied Analysis ⭐⭐
Analyze scenarios, arguments, and real-world situations using concepts from Chapter 9.
B.1. Consider the following scenario:
A fitness app asks users to agree to its privacy policy before they can create an account. The policy is 8,200 words long, written at a college reading level, and includes the sentence: "We may share your personal information, including health data, with our affiliates, business partners, and selected third parties for purposes including but not limited to marketing, analytics, product development, and research." The "I Agree" button is large, green, and prominently placed. The alternative — "Manage Preferences" — is a small gray text link that leads to a seven-screen settings interface where each data-sharing category must be individually toggled off.
Using the frameworks from Sections 9.4 and 9.5, analyze this consent process. Identify at least three specific ways in which this process fails to produce meaningful consent. Classify each failure as a problem of disclosure, comprehension, or voluntariness.
B.2. A technology executive defends their company's data practices by saying: "Users agree to our terms. We are transparent about what we collect. If users don't read the privacy policy, that's their choice. We can't force people to read." Using Section 9.3 (consent fatigue) and Section 9.5 (the consent fiction), construct a response to this argument that addresses at least three specific flaws in the executive's reasoning.
B.3. Section 9.6.2 introduces Helen Nissenbaum's concept of contextual integrity as an alternative to consent. Apply contextual integrity to the following scenario:
A patient tells their doctor about a mental health condition during a private appointment. The doctor records this information in the patient's electronic health record. The health record system automatically shares diagnostic data with the patient's insurance company for claims processing. The insurance company uses the diagnosis to increase the patient's premium.
Using contextual integrity, identify the relevant "information norms" at each stage of this data flow. At what point, if any, is contextual integrity violated? Is the violation a matter of the type of information, the recipient, or the purpose of the flow?
B.4. Eli describes attending a community meeting about new surveillance cameras in his Detroit neighborhood (Section 9.8). Residents are told: "This is happening. We're here to answer your questions." Eli objects that this is "notification, not consent."
Explain the difference between notification and consent using the frameworks from Sections 9.1 and 9.2. Then analyze whether community consent is even possible for municipal surveillance programs. Who would give consent? How would dissent be registered? What model could make community-level consent meaningful rather than theatrical?
B.5. The GDPR requires that consent be "freely given, specific, informed, and unambiguous" (Article 7). Apply each of these four criteria to the following scenario:
A social media platform requires users to agree to a single, comprehensive privacy policy before creating an account. The policy covers data collection, targeted advertising, facial recognition for photo tagging, data sharing with third parties, and cross-device tracking. Users cannot use the platform without agreeing to all terms. The policy was last updated three months ago with no notification to existing users.
For each criterion (freely given, specific, informed, unambiguous), determine whether the scenario satisfies it and explain your reasoning.
B.6. Section 9.4.2 discusses "manufactured consent" through dark patterns. Consider an airline booking website that, after a user selects a flight, presents the following screen:
"Protect your trip with premium travel insurance for only $34.99."
[Large green button: "Yes, protect my trip"]
[Small gray text at the bottom: "No thanks, I'll risk my trip without protection"]
Identify at least two dark patterns in this design. Explain how the framing of the opt-out language ("I'll risk my trip without protection") attempts to manipulate the user's decision. How does this relate to the chapter's concept of manufactured consent?
Part C: Real-World Application Challenges ⭐⭐-⭐⭐⭐
These exercises ask you to investigate your own consent environment.
C.1. ⭐⭐ Cookie Consent Audit. Visit ten different websites (a mix of news sites, e-commerce platforms, social media, and government services). For each, document the cookie consent banner you encounter: (a) Is there a banner at all? (b) What options are presented (Accept All, Reject All, Manage Preferences)? (c) How many clicks does it take to reject all non-essential cookies? (d) What is the visual design of the "accept" vs. "reject" options (size, color, placement)? Present your findings in a table and write a one-paragraph analysis: Do these banners facilitate meaningful consent, or do they constitute "theatrical consent" as defined in Section 9.5?
C.2. ⭐⭐ Privacy Policy Readability Analysis. Select the privacy policy of a service you use daily. Copy the text into a readability analysis tool (Hemingway Editor, readable.com, or a Flesch-Kincaid calculator). Record: (a) the word count, (b) the estimated reading time, (c) the reading grade level, and (d) the number of vague phrases ("may," "might," "from time to time," "including but not limited to"). Write a one-page analysis evaluating whether this policy enables informed consent as defined in Section 9.1.
C.3. ⭐⭐⭐ Consent Withdrawal Experiment. Choose a service or platform and attempt to withdraw your consent — delete your account, opt out of data sharing, or exercise your "right to be forgotten" (if applicable). Document every step of the process: how many screens, how many clicks, how much time, what warnings or friction are introduced (e.g., "Are you sure? You'll lose all your data"). Write a report comparing the difficulty of giving consent (the initial "I Agree") to the difficulty of withdrawing consent. Does the asymmetry align with the concept of dark patterns from Section 9.4?
C.4. ⭐⭐⭐ Children's Consent Investigation. Identify a popular app or platform used by children (e.g., Roblox, YouTube Kids, Minecraft, or a children's educational app). Research its privacy practices and consent mechanisms. Write a two-page analysis addressing: (a) How does the platform verify age? (b) What parental consent mechanisms are in place? (c) What data is collected from children? (d) How do these practices compare to the requirements of COPPA and GDPR Article 8 as described in Section 9.7?
Part D: Synthesis & Critical Thinking ⭐⭐⭐
These questions require you to integrate multiple concepts from Chapter 9 and think beyond the material presented.
D.1. The chapter presents consent as a concept borrowed from medical ethics and transplanted into data governance. In medicine, informed consent is obtained through a face-to-face conversation between a doctor and a patient about a specific procedure with specific risks. In data governance, "consent" is obtained through a click on a privacy policy governing open-ended data practices by entities the user may never interact with directly.
Write a 400-500 word essay analyzing whether the concept of consent can meaningfully survive this transplantation. What elements of medical consent are lost in the digital translation? Are the differences a matter of degree (the same concept, just harder to implement) or of kind (a fundamentally different situation that requires a fundamentally different framework)?
D.2. Section 9.6 presents three alternatives to consent: legitimate interest (organizations may process data for purposes the individual would reasonably expect), contextual integrity (data flows should conform to the norms of the context in which information was originally shared), and information fiduciary duty (organizations that hold personal data should be held to fiduciary obligations similar to those of doctors or lawyers).
Evaluate each alternative by applying it to the VitraMed patient data scenario (Section 9.8.1). For each alternative: (a) What would it permit VitraMed to do with patient data? (b) What would it prohibit? (c) What are its limitations? Which alternative — or combination — do you find most promising, and why?
D.3. Dr. Adeyemi poses the question: "If we know that no one reads privacy policies, and if we know that clicking 'I Agree' produces no genuine understanding, then why do we keep doing it? Who benefits from maintaining the consent fiction?"
Write a response that identifies at least three stakeholders who benefit from the current consent model and explains the specific advantage each derives. Then assess whether the consent fiction serves any legitimate purpose — or whether it functions primarily to shift responsibility from data collectors to data subjects.
D.4. The chapter briefly discusses the difference between individual consent and collective consent (Section 9.8). Consider the following scenario:
A city government decides to install acoustic gunshot detection sensors (ShotSpotter) across a 12-square-mile area. The sensors continuously monitor ambient sound. No individual resident is asked for consent. The city council votes to approve the program after a public hearing attended by 47 people (in a city of 670,000).
Is the city council vote sufficient to constitute community consent? What mechanisms would make collective consent for surveillance technologies more meaningful? Design a process that balances democratic governance with individual rights, referencing both Chapter 8 (surveillance) and Chapter 9 (consent).
Part E: Research & Extension ⭐⭐⭐⭐
These are open-ended projects for students seeking deeper engagement. Each requires independent research beyond the textbook.
E.1. The Cookie Consent Ecosystem. Section 9.4 discusses cookie consent banners, and Case Study 1 examines them in depth. Conduct independent research on the Consent Management Platform (CMP) industry — the companies (OneTrust, Cookiebot, TrustArc, etc.) that sell cookie consent tools to websites. Write a 1,000-word report covering: (a) how CMPs work technically, (b) who their customers are, (c) what financial incentives shape banner design, (d) whether CMPs have been found to violate GDPR requirements, and (e) what the CMP industry reveals about the structural incentives in the consent ecosystem. Use at least four sources beyond this textbook.
E.2. COPPA Enforcement. Section 9.7 discusses the Children's Online Privacy Protection Act. Research FTC enforcement actions under COPPA from 2019 to the present. Write a 1,000-word report covering: (a) at least three specific enforcement cases, (b) the violations found, (c) the penalties imposed, (d) whether the penalties appear sufficient to deter future violations, and (e) what gaps in COPPA's protections the enforcement record reveals. Use at least four sources.
E.3. Consent Across Cultures. The chapter's discussion of consent draws primarily from Western legal traditions (U.S. and EU frameworks). Research how consent for data collection is understood and implemented in at least two non-Western contexts (options include Japan's APPI, India's DPDP Act, Brazil's LGPD, South Korea's PIPA, or China's PIPL). Write a 1,200-word comparative analysis addressing: (a) how each framework defines valid consent, (b) whether consent plays the same central role as in GDPR, (c) what cultural or legal factors shape differences in approach, and (d) what lessons Western frameworks might learn from alternative approaches.
Solutions
Selected solutions are available in appendices/answers-to-selected.md.