Privacy Protection on Social Media Platforms: Overdisclosure of Online Behavioral Data is Labeling Users

Le Cheng; Yijin Guo

doi:10.1515/ijdlg-2025-0001

Article Open Access

Privacy Protection on Social Media Platforms: Overdisclosure of Online Behavioral Data is Labeling Users

Le Cheng
Le Cheng is Chair Professor of Law, and Professor of Cyber Studies at Zhejiang University. He serves as the Executive Vice Dean of Zhejiang University’s Academy of International Strategy and Law, Acting Head of International Institute of Cyberspace Governance, Editor-in-Chief of International Journal of Legal Discourse, Editor-in-Chief of International Journal of Digital Law and Governance, Co-Editor of Comparative Legilinguistics (International Journal for Legal Communication), Associate Editor of Humanities and Social Sciences Communications, former Co-Editor of Social Semiotics, and editorial member of Semiotica, Pragmatics & Society, and International Journal for the Semiotics of Law. As a highly-cited scholar, he has published widely in the areas of international law, digital law and governance, cyber law, semiotics, discourse studies, terminology, and legal discourse.
and Yijin Guo
Yijin Guo is a research fellow in Business Law at Paris Nanterre University, specializing in European Business Law. Her research interests include business law, intellectual property law, European Union law, and digital law.

Published/Copyright: April 25, 2025

Published by

Become an author with De Gruyter Brill

Submit Manuscript Author Information Explore this Subject

From the journal International Journal of Digital Law and Governance Volume 2 Issue 1

Abstract

In the digital age, the protection of privacy and personal data on social media platforms has become increasingly significant. Online behavioral data includes user interactions, fandom affiliations, and engagement records, simultaneously encompassing both defensive privacy expectations and reasonable use expectations – blurring the lines between different levels of personal data protection. The sensitivity of online behavioral data, when aggregated, generates a “digital identity” that reflects a natural person’s social identity and is closely linked to individual personality, resulting in high identifiability and privacy risks. Due to the highly commercialized use of personal data by social media platforms and the ineffectiveness of the informed consent mechanism, legal frameworks primarily focus on traditional sensitive personal data, leaving the handling of online behavioral data inadequately regulated despite its potential to cause privacy risks. By analyzing consent mechanisms and case studies from platforms such as Weibo, this research highlights how default platform settings prioritize disclosure over user control and why current informed consent mechanisms are inadequate. This study advocates for a more comprehensive boundary delineation of sensitive personal data, a renewed stratification of personal data in the digital age, and stricter informed consent mechanisms to strengthen privacy protections, aligning platform regulations with contextual privacy expectations.

Keywords: personal data; social media platforms; informed consent mechanism; privacy; online behavioral data; contextual integrity

1 Introduction

In the digital age, the protection of privacy and personal data on social media platforms has become an increasingly critical issue. As intermediaries, platforms are expected to uphold stronger privacy safeguards (Zhao and Guo 2024), but their responsibilities often conflict with their social networking functions and profit-driven business models. While existing regulations attempt to balance privacy protection with data sharing, their implementation on platforms remains largely ineffective. The enforcement of data necessity principles in personal data processing and the practical application of informed consent mechanisms often appear superficial, with procedural compliance taking precedence over substantive user autonomy. In particular, the overdisclosure of online behavioral data in recent years has fueled growing public distrust toward platforms.^[1]

In modern social media ecosystems, online behavioral data – including likes, comments, viewing history (records of watched posts, live streams, and other interactions on the platform), purchase history, group chat participation, and engagement in fan communities – has become a crucial aspect of digital identity. In social interactions, individuals typically adjust their information disclosure dynamically based on privacy expectations (Altman 1976; Petronio 2002). However, the privacy architecture of social media platforms often disrupts this dynamic regulation, compelling users into involuntary disclosure due to flawed consent mechanisms (Marwick and Boyd 2014; Nissenbaum 2010). When platforms fail to implement informed consent effectively, the default exposure of online behavioral data strips users of control over their private relationships, exacerbating social identity labeling, social media stalking, and increasing privacy risks such as cyberbullying (Wagner and Matulewska 2023) and doxxing – where social data is used to uncover real-life identities. Such privacy violations not only undermine individual control over social boundaries but also heighten perceived threats, ultimately reducing users’ willingness to engage freely in digital spaces (Goffman 1959). At the same time, platforms’ profit-driven business models frequently conflict with user privacy protection, further intensifying social segmentation, group conflicts, and user distrust toward platforms.

The hierarchical governance of data has become a growing trend in privacy management across different jurisdictions. However, the positioning of online behavioral data within this framework remains a subject that warrants further investigation.

2 Classification of Online Behavioral Data in Hierarchical Governance

2.1 Current Framework for Hierarchical Data Governance

The Personal Information Protection Law (PIPL) reflects the concept of hierarchical classification and governance of data (Zhang 2023). Nowadays, particularly with the widespread use of generative AI (Li, Cai, and Cheng 2023), people’s expectations of privacy have been reshaped, making the distinction between privacy, sensitive personal data, and general personal data a central issue in discussions on data protection.

Within the legal framework for personal data protection, the needs of data subjects (i.e., individuals) regarding the protection and utilization of their information can be categorized into defensive expectation and positive utilization expectation.^[2]

Privacy primarily emphasizes the confidentiality of information, which is lost once it is disclosed, thus focusing on defensive protection. Personal data, on the other hand, combines both attributes of active utilization and defensive protection. Under the General Data Protection Regulation (GDPR), the protection of privacy and the right to understand how personal data is processed are recognized as fundamental rights. According to the regulatory framework, personal data refers to any information related to an identified or identifiable natural person. A natural person is considered identifiable if they can be distinguished, either directly or indirectly, through specific identifiers such as their name, identification number, location data, online identifiers, or other factors related to their physical, physiological, genetic, psychological, economic, cultural, or social identity.

From the perspective of reasonable expectations of privacy, personal data can generally be classified into several levels. Sensitive personal data, which aligns with the consensus of reasonable societal understanding regarding private information. Data subjects are primarily concerned with protecting this information from misuse or infringement. Such data requires enhanced defensive protection, and its processing is prohibited except in specific circumstances. Under Article 9 of the GDPR, sensitive personal data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. The processing of this data requires a clear legal basis or explicit consent from the data subject. The PIPL of China defines sensitive personal data in Article 28 as personal data that, if disclosed or misused, could harm an individual’s dignity or threaten their personal or property safety, including biometric data, religious beliefs, specific identities, health data, financial accounts, location data, and data of minors under the age of fourteen. The processing of sensitive personal data can only occur if it serves a specific purpose, is necessary, and involves strict protective measures. Article 29 stipulates that the processing of sensitive personal data requires explicit consent from the individual.

General personal data, which lacks privacy sensitivity, mainly involves the Positive Utilization Expectation. In other words, data subjects expect certain data to be used within a reasonable scope to enhance service experiences or provide social convenience, rather than being completely prohibited. For example, when a user voluntarily provides information and expects it to be used to improve services, such as social interactions or targeted advertising recommendations. After obtaining general consent from the data subject, such data can be processed lawfully.

Personal data that encompasses both defensive and positive utilization expectations (referred to as third-category personal data). This category includes online behavioral data, such as users’ friend lists, group memberships, and browsing history. The sensitivity of such data and whether its processing constitutes an infringement remains debated among scholars. Contextual Integrity theory suggests that the sensitivity of personal data depends on its use context rather than the inherent nature of the data itself (Ni 2019). Furthermore, Context Abstraction theory focuses on the characteristics of the data itself. It argues that when data possesses high utility or unique identification capabilities, it can be classified as sensitive personal data. Context embedding theory, on the other hand, emphasizes external factors such as the data processor’s cognitive ability, the method of data application, and the data’s storage status, which may alter the data’s sensitivity and transform ordinary personal data into sensitive personal data (Ning 2021).

In the Katz v. United States case (1967), the U.S. Supreme Court defined the steps and standards for determining reasonable privacy expectations.^[3] These steps consist of two parts: the first involves the subjective standard, assessing whether a natural person subjectively expects their privacy to be protected. The second involves the objective standard, determining whether, based on societal norms, the individual’s expectation of privacy is reasonable and objectively recognized.

Under the Chinese legal framework, Article 28 of the PIPL defines sensitive personal data as information that, if disclosed or misused, could violate an individual’s dignity or pose a threat to their personal or property safety. This includes biometric data, religious beliefs, specific identities, health data, financial accounts, location data, and data of minors under the age of fourteen. The term “etc.” provides flexibility for including other types of sensitive information. Furthermore, the phrase “specific identity” is introduced for the first time in the list of sensitive personal data under the PIPL, but the law has not yet fully defined its meaning or clarified its boundaries (Megan and Deng 2025). Some scholars argue that specific identity information refers to “certain identity information derived from biological or social constructs,” and whether it constitutes sensitive personal data depends on the context (Cheng 2021). Other scholars define it as “information that is highly likely to identify an individual, based on biological or social constructs,” using factors such as the nature of the information, the data subject, the purpose of processing, and the data processor to determine whether the data qualifies as sensitive personal data (Megan and Deng 2025). These relevant studies provide evidence for classifying personal data under defensive and positive utilization expectations within a hierarchical protection framework.

2.2 Hierarchical Classification of Online Behavioral Data in Data Protection

Online behavioral data refers to information collected from internet platforms that captures individual behaviors along with their contextual environments. This type of data primarily originates from users’ active interactions on digital platforms (Arosio 2022), such as social media, e-commerce sites, blogs, and online forums. Examples of such behaviors include clicks, views, comments, shares, and purchase records.

The legislation on personal data protection fundamentally seeks to strike a balance between competing value pursuits: while data related to personal dignity and privacy requires strict protection, general personal data tied to economic interests must also account for the needs of societal and commercial development (Li 2015). Sensitive personal data requires explicit consent, whereas general personal data only requires implicit consent, thereby increasing data flow (Ji 2018). Due to differences in how legislations define sensitive personal data, the classification of online behavioral data as sensitive varies across legal systems.

The American Privacy Rights Act (APRA), introduced in April 2024, has provided a more comprehensive definition of sensitive personal data. Compared to the categories of sensitive personal data commonly proposed in other national legislations, this act includes information such as video viewing data and online activity information from high-impact websites as part of sensitive covered data. The Act defines online activity profile as covered data that identifies the online activities of an individual (or a device linked or reasonably linkable to an individual) over time and across third-party websites, online services, online applications, or mobile applications that do not share common branding, and is collected, processed, retained, or transferred for the purpose of evaluating, analyzing, or predicting the behaviors or characteristics of an individual.

Under the current legal frameworks, the GDPR in the European Union and the PIPL in China have not yet officially classified online activity data on internet platforms as sensitive personal data, but the risks associated with this data in the online environment are increasingly approaching the threshold for such classification.

Article 28, Section 1 of the PIPL defines sensitive personal data primarily based on the high regulatory response of the law, with its protection standards increasing according to the risks of rights infringements that may arise from data processing (Ning 2021). In August 2023, China issued a public consultation notice for the national standard “Information Security Technology: Security Requirements for the Processing of Sensitive Personal Data” (Draft for Comment), further outlining China’s requirements for sensitive personal data protection. It categorizes sensitive personal data attributes into three types: data that, if disclosed or misused, may harm an individual’s dignity, personal safety, or property safety. Data falling under any of these attributes should be identified as sensitive personal data (Liu and Hua 2023). Some scholars argue that risk assessment should simultaneously meet two conditions: “the degree of general rights infringement” and “the probability of higher risk realization” (Ning 2021).

From the perspective of potential risks arising from data processing, due to the ease of searching and the rapid spread of information in the digital age, online behavioral data has a high level of identifiability in the online environment and is highly linked to an individual’s identity. Therefore, improper handling of such data poses a significant risk of infringing on personal dignity or even personal safety.

In any specific context, information may exhibit sensitivity and privacy. Privacy is not an inherent attribute of information itself but is determined by how the information is used in different contexts (Ni 2019). The sensitivity of information is context-dependent, and thus when determining the “sensitivity” of information, factors such as the nature of the information, the context of its processing, and its intended purpose should be considered (Hu 2018).

Some scholars categorize data into four types based on sensitivity and identifiability: Identifiable Data, Quasi-Identifiable Data, Sensitive Data, and Insensitive Data (Faridoon and Kechadi 2023). Identifiable attributes are those that can directly identify an individual, such as a name or social security number. Quasi-identifiable attributes are those that can indirectly identify an individual when combined with other information, such as age, gender, or zip code. Sensitive attributes are those that, if disclosed, could cause harm or embarrassment to an individual, such as medical conditions or financial information. Insensitive attributes are those that, if disclosed, do not cause harm or embarrassment, such as hobbies or preferences.

For instance, the live-stream viewing information of a user on Weibo, which is directly tied to the user’s identity, is a clear example of Identifiable Data. When the platform publicly discloses the notification that a user is watching a particular live stream, it directly associates the information with a specific individual. In contrast, if the same information were presented anonymously or in a de-identified form (e.g., showing the total number of viewers for a live stream without revealing specific viewers’ identities), it would fall under the category of Insensitive Data. When the information is combined with other data (such as the user’s social network or interest tags), it becomes Quasi-Identifiable Data, as cross-referencing could potentially infer the user’s identity or preferences. For example, in the WeChat Reading case, the reading data included online identifiers that pointed to the individual, such as reading duration, recent books read, bookshelf, and thoughts after reading, reflecting personal characteristics and preferences.^[4] Accumulating these traits could identify the individual, thus classifying the information as personal data. Similarly, if a user frequently watches a particular type of live stream, is active during specific time periods, or interacts with certain groups, these behavioral patterns enable the platform to analyze the user’s personal traits, forming a consistent behavioral profile. Even if the real-life identity is not disclosed, this behavior-based identification can still recognize the individual through pattern matching. For this present study, the online behavioral data being studied as data contains Sensitive attributes, Identifiable attributes, or Quasi-Identifiable attributes.

Based on existing definitions, it is difficult to categorize individual online behavioral data as publicly recognized sensitive information, because most individual pieces of information cannot be directly linked to a natural person’s visible identity or digital footprint. Therefore, when exploring the identifiability and sensitivity of online behavioral data, it is not sufficient to consider them in isolation; rather, the effect produced when these data points are aggregated should be taken into account.

In the digital platform ecosystem (Cheng, Xu, and Chang 2023), user profiling has become a crucial foundation for companies to optimize content distribution, resource allocation, and business decision-making. With the proliferation and advancement of AI technology, platforms are increasingly leveraging algorithms to intelligently influence the content users receive, making it a key component of their business model (Neuwirth 2024). By analyzing user behavioral data, platforms can assess and predict individuals’ interests, preferences, and consumption patterns, thereby utilizing algorithms to offer personalized recommendations that influence user interactions and decisions (Elyamany 2024).

Legal frameworks generally classify user profiling as part of personal data protection, emphasizing the autonomy of users in data processing, their right to be informed, the right to object to automated decisions, and their right to data portability (Ding 2019). However, user profiling, as a form of derivative data created through the analysis and processing of personal information, involves tagging individual characteristics, which forms a predictive model of a user’s tendencies, behaviors, and identity attributes through data mining.

The concept of “identity” in personal information recognition encompasses two layers of meaning: “personal characteristics” and “personal identity.” Whether the recognition of specific identity information refers solely to “personal identity” or includes both “personal characteristics” and “personal identity” remains a point of divergence across different jurisdictions (Megan and Deng 2025). However, the recognition of personal characteristics is too general in the context of identifying personal information, and as long as it does not reach the level of identifying an individual’s identity, it does not pose significant harm to the individual’s dignity or personal safety. For the purpose of this paper, the focus is placed on “personal identity.” However, personal identity should not only include traditional legal notions of natural person identity, such as name, national identification number, date of birth, etc., but also encompass digital identities closely related to one’s personality.

The study of the recognition of personal information identity essentially explores whether the disclosure of such information would affect one’s dignity or personal integrity. Therefore, it is crucial to examine the relationship between the recognition of personal information identity and an individual’s personality. In the current era of the internet, a new layer of identity has emerged in the form of digital identity in the online world. Although this identity is “virtual” and not directly inscribed on an ID card, it reflects an individual’s self-identification, affecting user’s dignity and safety (Cheng and Gong 2024).

Personal identity is largely shaped by the social groups to which an individual belongs, as well as their position and role within these groups (Turner and Oakes 1986). For example, among younger internet users, “fandom” has become a typical form of digital self-identification. Fandom, which refers to an individual’s affiliation with a particular celebrity, TV show, game, literary work, or other cultural phenomenon on social networks, has evolved beyond merely expressing interest to become a highly emotional identity marker. The disclosure of this information can directly affect an individual’s sense of security and autonomy in social spaces and even lead to online harassment, group antagonism, or “doxxing” in real life.

In the current internet environment, the threshold for “becoming a fan” within strictly organized fan communities has become increasingly high, often involving complex, ritualized behaviors (Zheng and Tan 2022). For example, in many fan communities, an individual may only be recognized as a fan after purchasing a certain amount of cultural products, merchandise, or other related items endorsed or produced by a celebrity. This ties into specific consumer behaviors and the act of self-identifying in particular social contexts. On platforms like Weibo, some fan communities even do not allow users to follow or post about more than one celebrity with the same account. Users must meet certain criteria to be recognized as “fans,” with some social platforms even offering specific titles or levels within fan communities, which require completing “tasks” to earn higher status. Being designated as a “Big Fan” within a fan circle can grant an individual a higher degree of influence and recognition within the community.

It has been argued that an individual’s self-identity is constructed through comparison and affiliation within social groups (Tajfel and Turner 2001). Fans strengthen their self-identity by engaging in competitive and comparative behaviors such as “leveling up” and “voting” while paying a cost in the process. Consumption is not merely about acquiring material goods but also serves as an important means of self-expression and identity formation. By consuming specific products and cultural goods, individuals establish their position in society and reinforce their personal identity (Bourdieu 1984). Through purchasing behaviors, individuals externally display their identity, with the more they spend, the stronger their sense of identification and belonging (Simmel 2011). Individuals tend to strengthen their self-identity by associating with specific groups, such as fan communities. Buying celebrity-endorsed products and participating in particular fan activities are ways in which individuals “prove” their identification and integration into the group, gradually reinforcing their sense of self. In fan communities, there is no clear boundary between artists and consumers. All fans are potential creators, with talents that are yet to be discovered, cultivated, and developed. Every fan, regardless of how small their contribution, can add to the cultural wealth of the broader community (Jenkins 1992). Unlike simple admiration or affection, fans, who invest money, time, and other forms of value, demonstrate their inner sense of self-worth through their identity within the community.

An individual’s online identity, as a form of self-identification, reflects autonomy, which forms the cornerstone of the theory of dignity in human rights (Kant et al. 2002). The creation of an individual’s online identity is driven by the aggregation of various online behavioral data disclosed by platforms, such as recent participation in online communities, currently watched live streams, liked posts, and so on. When these pieces of information are conspicuously disclosed and aggregated together, they form a user’s digital identity card on the internet.

From an informational perspective, once data possesses the ability to identify and link individuals, even if it does not directly identify one’s identity, it can influence platform decisions, thereby having substantial impacts on individual rights. Therefore, the boundary of personal information is not solely defined by the ability to directly identify identity but rather depends on the strength of the correlations between data and the extent to which the information handler’s technological capabilities can recognize personal characteristics (Megan and Deng 2025). The aggregation of online behavioral data to form a user’s “digital identity card,” due to its close connection with personal identity, is a key factor in infringing on individual’s general rights to social freedom and is also the source of higher risks, such as online harassment and doxxing.

Under the private law system, individuals shape their social roles and develop their personalities through contracts, market transactions, and commercial images. The violation of personal dignity can be concretized as the obstruction of an individual’s social interaction abilities (Zhang 2022).

In modern society, surveillance is no longer the traditional panoramic visibility; instead, it has become fluid, dispersed, and covert, with users unknowingly being under surveillance (Bauman and Lyon 2012). This theory is known as “Liquid Surveillance.” For example, Snapchat’s now-deleted “Best Friends” feature previously allowed users to see whom their friends interacted with the most.^[5] This feature attracted attention due to its “slightly invasive” monitoring nature, as many users used it to stalk their friends or partners, observing whom they communicated with or shared images with most often. Such features are becoming more common on modern social platforms, where users experience both the thrill of peeking into others’ lives and the anxiety of their own online image being exposed.

The obstruction of an individual’s social interaction ability due to liquid surveillance is most typically manifested on the internet as the “chilling effect.” It to individuals self-censoring out of fear of punishment or social pressure, thereby limiting their freedom of speech (Schauer 1978). This effect is particularly prominent in social media environments. Meanwhile, the intrinsic conflict between the business model of social platforms and the protection of user privacy further fuels social stratification, strengthens internal group conflicts, and intensifies inter-group opposition. For instance, in fan communities, a typical manifestation of stratification, the strong sense of boundaries within fan groups causes them to segregate themselves. Fans of different groups may encounter collective attacks from opposing groups due to differing viewpoints. Furthermore, users’ actions, such as liking posts or participating in group chats, become the basis for identity recognition, which may be used by opposing groups to target them for attacks, leading to online violence, and even offline physical confrontations. For example, a few years ago, when a user posted a complaint about a particular celebrity on Weibo, fans of that celebrity managed to uncover the university the user attended and threatened them to apologize. Many fans even contacted the university, demanding the user’s expulsion.^[6]

Because individual’s actions such as likes, follows, and social interactions can easily be accessed by other users, especially when these actions are publicly displayed on platforms’ homepages, this increases the visibility of users’ social identities. It exposes their interests and social circles, making it easy for others to label them with a fan identity. This visibility of social trajectories not only makes users’ online footprints transparent but also facilitates the revealing of their identity. In scenarios such as fan community competition, online public opinion conflicts, and discussions on politically sensitive topics, a user’s likes, comments, or participation in a group chat can be used as a basis for attacks, further exacerbating social conflicts. For instance, external parties can infer a user’s political stance, fan affiliation, or even certain private social relationships merely from their like history. In a polarized social environments, this information is often exploited to label individuals, incite group attacks, and escalate conflicts. Especially in areas involving entertainment industry disputes or societal issues, individuals can easily be labeled as “anti-fans,” “opposers,” or “having an improper stance” due to a single like or social interaction, ultimately becoming victims of online violence. To avoid being attacked due to their online activities, users may feel compelled to consider potential social risks when expressing opinions or engaging in specific discussions, forcing them into self-censorship (Mangiò, Andreini, and Pedeliento 2020). The self-censorship induced by this environment strips individuals of their rightful freedom in social spaces, obstructing their normal social interaction capabilities.

Moreover, the business model of social platforms heavily relies on the traffic effects brought about by competition within fan communities. The “Fan Economy” refers to an economic model that leverages the consumption power of fan groups, converting their emotional investment into commercial value through social media, celebrity marketing, brand endorsements, and other strategies (Sun 2017). This phenomenon is particularly dependent on social media platforms, especially large platforms like Weibo, Instagram, and TikTok. Fans not only support their idols’ careers by purchasing products endorsed by them but also generate discussions, create trends, and vote to increase the commercial value of their idols, thus attracting investments from brands. Take Weibo as an example. As one of the largest social media platforms in China, it capitalizes on fan economy to monetize traffic. For instance, Weibo encourages fan group members to vote and create ranking competitions, actively amplifying group conflicts. This escalates the sense of rivalry between fan communities, creating continuous social topics. Such “buzz” becomes one of Weibo’s key channels for monetization.

Furthermore, Weibo’s SVIP visitor record feature exacerbates social surveillance behavior. At the end of 2023, Weibo launched a feature allowing SVIP members to view visitor records. Once activated, users’ visitor records become an exclusive benefit for paying members. Ordinary users cannot see who visited their profile, while paying members can check and even delete their visit history. They can also categorize the records into groups such as “all,” “followers,” “fans,” “non-fans,” and “verified users.” In addition to showing the visitors from the previous day, it also indicates if someone “frequently visited you yesterday” or “visited multiple times yesterday.”^[7] This mechanism not only encourages a “peeping culture” but also makes users more cautious, even fearful, in social interactions, forming a “Liquid Surveillance” environment. Surveillance behavior becomes decentralized and permeates daily social networks, where individuals are both the objects of surveillance and also the subjects of mutual surveillance (Bauman and Lyon 2012).

In response to this, the CEO of Weibo commented in the platform’s comment section, stating, “this is to cater to the demand for growth in social memberships and mutual following.”^[8] In fact, in the highly competitive fan circle environment, if a user visits the profile of a competing fan’s community, they might be viewed as engaging in “stalking” the rival fan group, thereby becoming a target of online violence. In September 2024, the Beijing Internet Court ruled on a lawsuit against Weibo for inadequate protection of personal information. While the court did not rule that Weibo had breached the contract, it did mandate changes to the platform. The number of hidden visits allowed for ordinary users was increased from three to ten.^[9] However, the differences in visitor record access privileges between SVIP and regular users still remain.

User privacy disclosure behavior is influenced by factors such as attitude, subjective norms, and perceived behavioral control (Zhang and Li 2019). When users disclose personal information, they weigh perceived benefits against perceived risks (Culnan and Armstrong 1999). If the perceived benefits outweigh the perceived risks – such as when users feel the platform’s privacy settings pose little risk but offer more accurate content recommendations or richer social interactions – users tend to disclose information. Conversely, if perceived risks outweigh the benefits, they are likely to protect their privacy. Research has shown that procedural fairness positively affects user trust in platforms, and trust reduces users’ perceived privacy risks. Procedural fairness also positively impacts distributive fairness. In other words, if users perceive the process of privacy policy development as fair, they are more likely to accept the final privacy disclosure arrangements (Weng and Lian 2024). Social media platforms that make users feel their privacy policies are unfair – such as the distinction between SVIP and regular users regarding access to visitor records on Weibo – manipulate users’ social activities for the platform’s commercial interests. This increases users’ perceived risks and reduces trust in the platform, forcing users to limit their information disclosure to avoid online violence.

Moreover, as person’s digital identity is essentially an extension of their personality (Floridi 2006), if platforms use digital identities for commercial purposes without proper regulation, it can lead to serious risks (Lambert and Smolinski 2024). Building on the traditional concept of personal dignity, some scholars have introduced the idea of “informational dignity,” which suggests that legal protection and respect should not only apply to a person’s real-world identity, but also to their digital identity. A person’s digital identity should not be manipulated, exploited, or exposed in ways that could lead to social discrimination or harm (Doyle 2011).

Recently, more social platforms have introduced features that display a user’s “fandom” and their rank within fan communities alongside their profile picture and username. For example, on QQ Music, when a user comments on a song by a particular artist, their username show their “fandom”, like “Lv 14 David Tao”, if you are identified as a David Tao fan by the platform. This label is determined by the platform’s algorithm, and if the user disagrees with the result, they must manually change it. Once the user accepts the platform’s privacy policy, this label becomes visible to the public.

In most of the time, the legal framework surrounding the use of such data is often overly broad, with platforms frequently overlooking the sensitivity of this data in their pursuit of monetization. For instance, just as traditional privacy laws prevent the display of personal characteristics like sexual orientation next to a user’s profile picture – regardless of whether the user is comfortable revealing this information – most non-dating social platforms do not inform users about how to disable such features through the privacy consent process. Instead, these features are automatically enabled when users agree to the platform’s general privacy policy. This approach contrasts with the ideal model where users should have the option to manually activate these features, similar to how platforms like Weibo allow users to choose whether to display their sexual orientation, users are not required to disclose their sexual orientation unless they manually choose to include it in their personal profile.

Likewise, the aggregation of online behavioral data, such as “fandom” status, should not simply follow the traditional informed consent model, where users passively agree to everything. Instead, users should be required to actively opt in if they wish to disclose such information.

3 The Principle of Informed Consent and Its Defects in Practical Application

The U.S. established the “third-party doctrine” in Smith v. Maryland (1979),^[10] which states that if an individual voluntarily provides information to a third party – such as data shared by a user on social media platforms – this information is no longer protected by the privacy rights under the Fourth Amendment of the U.S. Constitution. Essentially, by sharing such information, individuals are seen as having waived their privacy rights. However, the rise of internet social networks has blurred the boundaries between the private and public spheres. Information disclosure on social platforms is often implicit, non-voluntary, or influenced by platform default settings, leading users to still maintain reasonable expectations of privacy regarding such information (Ni 2019). The principle of informed consent aligns with the intuitive understanding of personal information protection: If a business collects, uses, or transfers personal information with the prior consent of the data subject, it seems that no unlawful infringement on personal information has occurred (Lin 2018). Informed consent not only includes agreement but also the right to withdraw consent.

Regarding consent: The PIPL stipulates that consent must be voluntarily and explicitly given by individuals, under conditions of full awareness. Before processing personal data, the controller must inform the individual of all relevant processing matters in a prominent, clear, and understandable manner. In cases of processing sensitive personal information, the individual’s separate consent is required. The GDPR specifies that if consent is given through a written declaration that includes other matters, the consent should be presented in a manner that is easy to understand and clearly distinguished from other issues. When assessing whether consent was freely given, the evaluation should consider all circumstances, including the fulfillment of contracts, and whether personal data was consented to for purposes unrelated to the contract. The data subject must give explicit consent for the processing of sensitive personal data for one or more specific purposes.

Regarding the withdrawal of consent: PIPL mandates that platforms provide a convenient way for individuals to withdraw consent. The withdrawal of consent does not affect the legality of any personal information processing conducted before the withdrawal. Information processors cannot refuse to provide products or services based on an individual’s refusal to consent or the withdrawal of consent. Similarly, GDPR stipulates that the withdrawal of consent should be as easy as giving consent. The data subject has the right to withdraw consent at any time, and such withdrawal does not affect the lawfulness of data processing carried out prior to the withdrawal. Before consent is given, the data subject must be informed of these rights.

Informed consent is the first step in establishing trust between the data subject and the data controller, as well as a key element in the data subject’s understanding and oversight of how their data is used. When large volumes of user data are captured, aggregated, circulated, and utilized by platforms, balancing “data usage” and “privacy protection” often depends on effective interaction and coordination among various stakeholders, such as governments, platforms, and users. Of course, platform privacy policies are fundamental in achieving this goal (Xuan et al. 2023). However, research indicates that although users say they care about how their data is used, few actually read privacy policies (Barth and De Jong 2017). The vigilance of users regarding privacy disclosures is also dynamic, with data disclosure behavior changing in response to platform privacy terms, trust in institutions, and the visibility of privacy indicators. Currently, the principle of informed consent remains in a stage where “form outweighs substance.” In reality, the “consent” given by users often does not reflect their true intentions (Zhang 2019).

A comparison of the versions of the same shopping app available in China (Pinduoduo) and France (Temu) reveals significant differences in their privacy policy consent pages. Previous research indicates that users’ concerns about privacy policies are influenced by visual cues (Étienne, Manant, and Pajak 2015). When visual cues are present, people are more likely to relax their vigilance over privacy risks and agree to platform terms that do not align with their expectations of privacy. On Pinduoduo’s consent page, the “Agree” button is prominently displayed in large white letters on a green background, with a small grey “Disagree” button hidden underneath the white background. This setup seems to encourage users to click the “Agree” button. Moreover, there is no option to manage cookies, and clicking “Disagree” triggers a message stating that the app’s full functionality will be unavailable without agreement.

In contrast, Temu’s consent page is more reasonable. Both the “Accept All” and “Reject All” buttons are the same size and surrounded by identical borders. Additionally, there is an option for “Cookie Personalization,” and “Reject All” only applies to “non-essential cookies.” By selecting “Reject All,” users can continue to use the app, unlike on Pinduoduo, where refusal to consent results in the complete inaccessibility of the app’s functions.

Furthermore, inefficient and costly reading significantly hinders the realization of users’ right to know (Fan and Gu 2021). Previous research indicates that the more characters a privacy policy contains, the less likely users are to read it (Zhu, Zhang, and Lu 2018). The “legal jargon + hyperlink” format in privacy policies reduces readability and comprehension, preventing users from fully understanding the associated data risks (Sun, Zhang, and Li 2021). Both Pinduoduo and Temu, like most apps on the market, use hyperlinks to present their full privacy policies. However, Pinduoduo also includes brief explanations of the content outside of the hyperlinks. Ideally, if the brief explanation conveyed the core points of the privacy policy that users should pay attention to, such an addition would be beneficial. However, Pinduoduo’s setup makes this addition unreasonable.

Compared to other e-commerce platforms, Pinduoduo’s users have a lower average level of education (CNNIC 2023). As most of privacy policies use “legal jargon + hyperlink” format, users with lower education levels may face significant challenges in understanding privacy policies. The user base of Pinduoduo has a notably higher proportion of low-education individuals compared to platforms like JD.com and Taobao, particularly in third- and fourth-tier cities, with users in third-tier cities accounting for 20.4 % and users in fourth-tier and lower cities making up 38.4 %. In terms of educational background, 68.2 % of Pinduoduo’s users have an education level below bachelor’s degree.^[11] On Pinduoduo’s privacy policy page, the visible text is far less prominent than on platforms like Weibo. After scrolling down, the page only contains a blue hyperlink to the full privacy policy and a brief description. The blue hyperlink is not easily noticed, and users with lower education levels and limited privacy protection awareness may not even click to view it. Moreover, the “brief description” contains only legally required boilerplate language, rather than highlighting actual privacy risks or specific functions that pose higher privacy concerns. As an important textual part of the privacy policy, the “brief description” is essentially ineffective, preventing users from truly understanding and being aware of the risks they need to consider.

Given the inefficiency in the current implementation of the informed consent rules and the ineffective privacy policy consent mechanisms, the legality and privacy risks associated with certain features launched by major social media platforms are a subject of ongoing controversy.

4 Legality Analysis of Weibo’s “Friends Are Watching” Feature Under the Current Legal Framework

The “Friends Are Watching” feature on Weibo automatically notifies users when their friends have viewed certain posts or live streams, displaying their usernames in the notification. This function is activated by default once users register on Weibo and consent to its privacy policy. Most jurisdictions uphold the principle of data minimization, which requires online platforms to limit the collection and disclosure of users’ personal data to what is strictly necessary (Cheng, Han, and Nasirov 2024). According to Article 1035 of the Civil Code of the People’s Republic of China, the processing of personal information must adhere to the principles of lawfulness, legitimacy, and necessity, and must not exceed reasonable limits. The necessity principle implies that the required scope of personal information collection varies across different contexts and may evolve over time.

The Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications,^[12] jointly issued by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation in March 2021 and effective from May 1, 2021, explicitly define the necessary personal information scope for 39 common types of mobile applications. Under these regulations, social networking applications, which provide services such as blogging, forums, community discussions, and information sharing, are only permitted to collect users’ mobile phone numbers as necessary personal information. Furthermore, Article 13 of the PIPL and Article 6 of the GDPR set forth exceptions to the requirement for informed consent, such as data processing necessary for contract performance or in pursuit of the public interest. First, based on jurisprudence,^[13] browsing history constitutes personal information because of its identifiability. Collecting and utilizing users’ browsing records for Weibo’s “Friends Are Watching” function may therefore violate the necessity principle outlined in the Regulations. Second, the “Friends Are Watching” feature does not fall under contractual necessity. Accessing posts or live streams is a standard service provided by Weibo and does not require publicly disclosing users’ viewing behaviors to fulfill contractual obligations. Since this function is neither essential for contract formation nor mandated by legal obligations or the public interest, it does not qualify for exemption from the requirement of obtaining user consent.

Thus, the validity of Weibo’s privacy policy in fulfilling the informed consent principle must be examined. In this regard, the consent mechanism for the “Friends Are Watching” function is largely illusory. Unlike platforms in the EU that provide explicit cookie management options, Weibo does not offer users the ability to manage their privacy preferences easily. Upon first opening the app, users are not presented with a clearly visible privacy policy but rather a hyperlinked agreement embedded within a block of text, which users must actively click to access. Research suggests that while users may not always read privacy policies in detail, they are significantly influenced by visual cues (Étienne, Manant, and Pajak 2015). Weibo’s interface design subtly discourages users from scrutinizing privacy settings, thereby reducing their privacy awareness. Additionally, the consent mechanism presents users with only two options: “Agree” or “Disagree and Quit.”

This design contravenes Article 16 of the PIPL, which explicitly prohibits personal information processors from denying services solely based on users’ refusal to provide non-essential personal data. Likewise, Article 4 of the Regulations reiterates that apps must not refuse users access to essential functions solely because they decline to provide non-essential personal data. In a similar case involving WeChat Reading, Tencent defended its data collection practices by claiming that such mechanisms were part of its operational model.^[14] However, if platforms like Weibo fail to conduct compliance reviews and implement necessary adjustments, they risk violating both the PIPL and the Regulations.

Beyond the problematic design of the privacy policy interface, the absence of a valid opt-in mechanism further undermines informed consent. Once a user agrees to Weibo’s general privacy policy, their viewing activities are automatically shared with followers, who receive pop-up notifications such as “Your friend recently viewed”. Users can only disable this function by navigating through multiple layers of settings (Settings → Privacy → Disable ‘Allow sharing of my interactions’), and even then, not all users have access to this option. Instead of an opt-in model, which requires active user consent, Weibo employs an opt-out mechanism, where users must take additional steps to disable the function.

In conclusion, Weibo’s “Friends Are Watching” function raises significant privacy concerns due to excessive data collection, a lack of valid informed consent, and an opt-out mechanism that defaults to data disclosure. Without necessary compliance measures, this function risks violating China’s PIPL and regulatory guidelines governing the collection and disclosure of personal data on digital platforms.

5 Governance of Personal Data Disclosure: a Layered Consent Mechanism

The principle of informed consent must be reinforced to ensure its substantive effectiveness. Informed consent is an essential component of the right to explanation, which extends beyond a mere declaration of user consent prior to data processing. Instead, it serves as the foundation for transparency and the duty to provide explanations throughout the entire data lifecycle (Kim and Routledge 2020). Given the increasing complexity and unpredictability of algorithmic decision-making and data processing (Cheng and Liu 2023), a single instance of prior consent is insufficient to meet users’ expectations of transparency. A dynamic mechanism must be established to enable data subjects to obtain ex post explanations regarding how their data is processed, thereby safeguarding their rights. However, the legal framework surrounding the right to explanation remains ambiguous and is currently in a quasi-effective state, primarily reflected in non-binding guidelines and draft legislation, such as the recitals of the GDPR and the proposed U.S. Algorithmic Accountability Act (Liu and Hua 2023).

Under the GDPR, the term “processing” encompasses various activities, including the use, disclosure by transmission, dissemination, or otherwise making data available. Similarly, PIPL defines “processing” as including the collection, use, and disclosure of personal data. As long as the principle of informed consent is met, these different forms of processing are considered lawful. However, the WeChat Reading case introduced a distinction between “obtaining” and “disclosing” personal data. In this case, WeChat Reading obtained the plaintiff’s WeChat friend list with explicit user consent. The court ruled that data controller’s acquisition of the friend list did not violate the principles of legality, legitimacy, and necessity and therefore did not infringe upon the plaintiff’s personal information rights. However, the platform also made the plaintiff’s reading activity visible to friends using the same application, automatically followed the plaintiff’s WeChat friends on their behalf, and allowed friends to view their reading history. Given the close connection between this data and the plaintiff’s personal identity, the court deemed that WeChat Reading’s default disclosure of reading activity – without explicit, informed consent – posed a significant risk of infringing upon the user’s personality rights and privacy. The platform’s user agreement failed to provide an adequate level of transparency, leading to an infringement of personal information rights.

This distinction highlights the layered nature of the informed consent principle: a user’s consent to providing personal information does not equate to consent for its further use or disclosure. Therefore, a one-time acceptance of all processing activities via a single consent button on a privacy policy page is inadequate. Consent to “obtain” data should not be automatically extended to include “disclosure” of the same data.

When designing privacy policy consent interfaces, different processing activities should be categorized according to users’ reasonable expectations of privacy. Consent mechanisms should be structured to ensure that users can clearly identify and evaluate processing activities that may carry heightened privacy risks.

Some scholars argue that for sensitive personal data, “separate consent” should be required based on a “specific purpose” standard (Liu and Hua 2023). This means that distinct, independent consent must be obtained for each specific purpose, preventing the bundling of multiple purposes under vague categories such as “to improve services” or “to enhance user experience”. Furthermore, when informing users about sensitive data processing, data controllers must take additional steps to clarify complex or ambiguous points, such as providing supplementary links, pop-up notifications, and visually intuitive explanations to enhance user awareness (Sun 2022).

In this regard, some scholars (Oh et al. 2021) outlines four key conditions for ensuring the validity of user consent. First, users must have straightforward access to the privacy policy, either through direct display or via a clearly visible link. Second, the mechanism for obtaining consent must be explicit; actions such as clicking “Register” or “Continue” should not be automatically interpreted as agreement, and the use of pre-ticked checkboxes must be avoided. Third, the terms of service and the privacy policy should be presented separately, allowing users to provide consent independently rather than through a bundled agreement. Lastly, the privacy policy should be drafted in language that is both clear and concise, ensuring that an average user can easily comprehend its contents.

From a design perspective, privacy policy text should occupy a sufficiently prominent portion of the interface to ensure users are adequately informed. The visibility and prominence of the text should meet a minimum threshold to fulfill the platform’s duty of informing users. Moreover, “Accept” and “Reject” buttons should be presented in identical formats to prevent visual manipulation, and no design elements should be used to unduly highlight the “Accept All” option.

Furthermore, the classification of sensitive personal data should be refined to establish clearer boundaries. In the commercial utilization of personal data by platforms, the expectation of reasonable use is often amplified to the detriment of users’ defensive expectations. When delineating the scope of sensitive information, its inherent sensitivity must be properly recognized, taking into account both the specific application context and relevant industry standards (Liu and Hua 2023). A comprehensive approach to defining sensitive information should integrate a list-based categorization while also incorporating a dynamic risk management framework (Ji 2018). This would allow for the contextual reassessment of general data based on its potential correlations with sensitive information, thereby mitigating the risk of data linkage attacks and ensuring robust privacy protection for data subjects.

A quantitative approach could also be employed to establish a layered consent mechanism. Specifically, for “quasi-identifiable data,” which is displayed without anonymization or de-identification, a case-by-case assessment is required. The identifiability of such data should be evaluated within the broader platform architecture, considering its aggregation potential. Higher aggregation potential implies greater identifiability and, consequently, increased privacy risks. The following quantifiable factors should be considered in this assessment:

Degree of Centralized Display: This refers to whether the platform collects and presents the data in a centralized and easily accessible manner. The higher the degree of data aggregation, the more accurate the user profile becomes, which in turn increases privacy risks (Conti 2016). For instance, on Weibo, a user’s “likes” are publicly displayed on their profile, facilitating easy access for others. In contrast, on Instagram, users only encounter their friends’ liked content while scrolling through their feed, without the ability to view a comprehensive list of all past likes.
Real-Time Visibility: This concerns whether other users can instantly receive notifications about an individual’s online activities. This feature increases the likelihood that specific actions taken by users at a given time will be noticed by others, thereby enhancing the identifiability of those actions. As a result, it raises the potential for privacy risks, as more details about a user’s behavior become accessible to others in real time. For example, Weibo provides real-time notifications when a followed user joins a live stream, thereby increasing exposure.
Anonymity of the Behavior Itself: This considers whether other users can infer an individual’s engagement in a particular activity. In previous research, scholars have proposed a conceptual model of privacy expectation types divided into four categories: Desired, Predicted, Deserved, and Minimum (Rao and Pfeffer 2020). Among these, the Predicted type of privacy expectation is inherently embedded in users’ online behaviors. This type reflects what users believe will likely happen based on their understanding of current data practices and technological capabilities. Viewing a live stream, for example, is analogous to browsing history and differs from actions such as liking or commenting, which are inherently more public. If a user’s activity remains undisclosed unless they actively interact (e.g., like or comment), their expectation of privacy is relatively higher. By analyzing the Predicted level of privacy expectation, it is possible to infer users’ Desired privacy expectations, which represent their ideal state of privacy. This hierarchical relationship suggests that users’ Predicted expectations serve as a bridge between their Desired expectations and the actual privacy practices they encounter. Therefore, understanding the Predicted level of privacy expectation can provide valuable insights into users’ broader privacy desires and help align data practices with user expectations.
Duration of Visibility: This factor measures the length of time during which information remains accessible. For example, Weibo’s “Friend is Watching” notification for live streams is temporary and disappears once the stream ends. In contrast, a user’s “like” history remains indefinitely visible on their profile, making it more privacy-invasive in certain degree. This
Scope of Visibility: This pertains to whether the data is visible to all users or restricted to a specific group, also reflects users’ Predicted type of privacy expectation. Privacy is not solely an individual attribute but can also be a group-based property (Stuart, Bandara and Levine 2019). Group privacy involves selective control, which refers to how group members manage the sharing of information and regulate boundaries within the group. The scope of visibility directly influences this selective control. Comparing Weibo and Instagram’s handling of user “likes” illustrates this approach: on Weibo, historical likes are permanently visible on a user’s profile for all users, indicating high identifiability and privacy risks. Conversely, Instagram only displays liked posts sporadically within users’ feeds, reducing identifiability and privacy concerns.

When the aggregation potential of a particular dataset exceeds a predefined threshold, stricter consent mechanisms should be mandated. At its core, the principle of informed consent aims to balance users’ expectations of privacy, which not only include defensive expectations but also reasonable use expectations. This principle is also one of the tools through which platforms can enhance interactive features (Burkhardt et al. 2022). However, the primary focus of the informed consent principle remains the protection of users’ privacy expectations. Article 29 of the PIPL stipulates that processing sensitive personal data requires explicit consent from individuals. The online behavioral data addressed in this study, undeniably, represent personal information that embodies both defensive and reasonable use expectations, and thus possesses a certain level of sensitivity.

Given the current situation, it is evident that platform privacy policies prioritize commercialization and overlook users’ defensive expectations (Mugadza and Gwamaka 2023). When platforms continue to implement ineffective privacy consent policies, failing to achieve the objectives of informed consent, a shift is necessary. Rather than relying on consent as a loophole for privacy violations, a stronger emphasis should be placed on prohibition.

Through research, it is possible to establish a threshold value. If the aggregated potential of certain types of data exceeds this threshold, the associated privacy risk on the platform would be deemed high. In such cases, the processing and use of this data should be subject to stricter consent conditions, beyond the default prohibition.

Traditionally, platforms have used privacy consent terms to inform users on how to disable certain features, allowing users to either agree to the entire policy or opt out (Mills 2022). However, the opt-in effect has been minimal. This study proposes that while platforms can still present such features within the privacy consent terms, the notification should not focus on how to disable the feature, but rather on how to manually enable it. Unlike the simplicity of disabling, manually enabling such features would require specific steps, and platforms should not induce users to activate these features unintentionally through everyday functionalities or by using easily misinterpreted labels.

Lastly, reducing perceived threats and strengthening user trust are critical strategies for increasing platform user retention (Reichheld and Phil 2000). Establishing professional and authoritative industry associations to guide the development of the app industry is essential. These associations should set clear guidelines requiring app developers to prioritize user experience, and to eliminate excessive collection and misuse of personal information.

6 Conclusion: A Shared Future Under Evolving Privacy Expectations

The third category of personal information remains uncertain in terms of its sensitivity, as its classification depends on the context and the extent to which reasonable use expectations are still applicable. While it has not been explicitly classified as sensitive information in various jurisdictions, its associated risks in the internet environment are increasingly approaching that of sensitive data. The growing correlation between digital identity and personality on the internet further substantiates the increasing sensitivity of such information.

Under traditional legal frameworks for the internet, the United States has taken the lead in expanding the boundaries of sensitive information, offering valuable insights for the European Union and China in classifying sensitive personal data. Based on the categorization of sensitive information according to context, it is essential to consider quantifiable factors for determining the sensitivity of information. A preliminary evaluation of the rationality of information use on a given platform can be made, and if deemed unreasonable, stricter informed consent mechanisms should be implemented.

The inefficacy of the traditional informed consent principle has led to the disregard of users’ defensive privacy expectations in favor of platforms’ commercial interests. This excessive use of personal information has resulted in widespread privacy concerns and increasing self-censorship among users. Therefore, more effective opt-in mechanisms are needed, with an emphasis on improving the readability of privacy consent pages, evaluating potential clickbait tendencies, and adopting more stringent layered consent processes. To foster a healthier and safer online ecosystem, administrative departments and industry organizations must strengthen oversight, promote self-regulation within the industry, and ensure that the commercialization of personal information aligns with users’ privacy expectations.

Corresponding author: Yijin Guo, UFR Droit et Science Politique, Université Paris-Nanterre, Nanterre, France, E-mail: 44001502@parisnanterre.fr

Funding source: National Social Science Fund of China

Award Identifier / Grant number: 24BYY151

Funding source: Fundamental Research Funds for the Central Universities, Zhejiang University

About the authors

Le Cheng

Le Cheng is Chair Professor of Law, and Professor of Cyber Studies at Zhejiang University. He serves as the Executive Vice Dean of Zhejiang University’s Academy of International Strategy and Law, Acting Head of International Institute of Cyberspace Governance, Editor-in-Chief of International Journal of Legal Discourse, Editor-in-Chief of International Journal of Digital Law and Governance, Co-Editor of Comparative Legilinguistics (International Journal for Legal Communication), Associate Editor of Humanities and Social Sciences Communications, former Co-Editor of Social Semiotics, and editorial member of Semiotica, Pragmatics & Society, and International Journal for the Semiotics of Law. As a highly-cited scholar, he has published widely in the areas of international law, digital law and governance, cyber law, semiotics, discourse studies, terminology, and legal discourse.

Yijin Guo

Yijin Guo is a research fellow in Business Law at Paris Nanterre University, specializing in European Business Law. Her research interests include business law, intellectual property law, European Union law, and digital law.

Acknowledgments

The authors have accepted responsibility for the entire content of this manuscript and approved its submission.

Research ethics: Not applicable.
Author contributions: The authors have accepted responsibility for the entire content of this manuscript and approved its submission.
Conflict of interest: The authors state no conflict of interest.
Research funding: This work was supported by the project of National Social Science Foundation (Grant No. 24BYY151) and the Fundamental Research Funds for the Central Universities, Zhejiang University.
Data availability: Not applicable.

References

Altman, I. 1976. “Privacy: A Conceptual Analysis: Environment and Behavior.” Environment and Behavior 8 (1): 7–29. https://doi.org/10.1177/001391657600800102.Search in Google Scholar

Arosio, L., eds. 2022. “What People Leave Behind Online: Digital Traces and Web-Mediated Documents for Social Research.” In What People Leave Behind, Vol. 7, 311–21, Frontiers in Sociology and Social Research. Cham: Springer.10.1007/978-3-031-11756-5_20Search in Google Scholar

Barth, S., and M. De Jong. 2017. “The Privacy Paradox – Investigating Discrepancies between Expressed Privacy Concerns and Actual Online Behavior: A Systematic Literature Review.” Telematics and Informatics 34 (7): 1038–58, https://doi.org/10.1016/j.tele.2017.04.013.Search in Google Scholar

Bauman, Z., and D. Lyon. 2012. Liquid Surveillance: A Conversation. Cambridge: Polity.Search in Google Scholar

Bourdieu, P. 1984. Distinction: A Social Critique of the Judgement of Taste. Cambridge: Harvard University Press.Search in Google Scholar

Burkhardt, G., F. Boy, D. Doneddu, and N. Hajli. 2022. “Privacy Behaviour: A Model for Online Informed Consent.” Journal of Business Ethics 186: 237–55. https://doi.org/10.1007/s10551-022-05202-1.Search in Google Scholar

Cheng, L., and X. Gong. 2024. “Appraising Regulatory Framework towards Artificial General Intelligence (AGI) Under Digital Humanism.” International Journal of Digital Law and Governance 1 (2): 269–312. https://doi.org/10.1515/ijdlg-2024-0015.Search in Google Scholar

Cheng, L., J. Han, and J. Nasirov. 2024. “Ethical Considerations Related to Personal Data Collection and Reuse: Trust and Transparency in Language and Speech Technologies.” International Journal of Legal Discourse 9 (2): 217–35. https://doi.org/10.1515/ijld-2024-2010.Search in Google Scholar

Cheng, L., and X. Liu. 2023. “From Principles to Practices: The Intertextual Interaction between AI Ethical and Legal Discourses.” International Journal of Legal Discourse 8 (1): 31–52. https://doi.org/10.1515/ijld-2023-2001.Search in Google Scholar

Cheng, L., M. Xu, and C. Chang. 2023. “Exploring Network Content Ecosystem Evaluation Model Based on Chinese Judicial Discourse of Digital Platform.” International Journal of Legal Discourse 8 (2): 199–224. https://doi.org/10.1515/ijld-2023-2010.Search in Google Scholar

Cheng, X. 2021. Understanding and Application of the Personal Information Protection Law. Beijing: China Legal Publishing House.Search in Google Scholar

CNNIC. 2023. “The 52nd Statistical Report on Internet Development in China.” Journal of the National Library of China 32 (5).Search in Google Scholar

Conti, M. 2016. “Privacy in Data Aggregation.” In Secure Wireless Sensor Networks, 65–81, Advances in Information Security. New York: Springer.10.1007/978-1-4939-3460-7Search in Google Scholar

Culnan, M. J., and P. K. Armstrong. 1999. “Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation.” Organization Science 10 (1): 104–15. https://doi.org/10.1287/orsc.10.1.104.Search in Google Scholar

Ding, X. 2019. “User Profiling, Personalized Recommendation, and Personal Information Protection.” Global Law Review 41 (5): 82–96.Search in Google Scholar

Doyle, T. 2011. “Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life.” Journal of Value Inquiry 45: 97–102, https://doi.org/10.1007/s10790-010-9251-z.Search in Google Scholar

Elyamany, N. 2024. “The De-legitimation of Machine Learning Algorithms (MLAs) in ‘The Social Dilemma’ (2020): A Post-digital Cognitive-Stylistic Approach.” International Journal of Legal Discourse 9 (1): 59–92. https://doi.org/10.1515/ijld-2024-2003.Search in Google Scholar

Étienne, J., M. Manant, and S. Pajak. 2015. “Privacy and Public Logo Personal Data Disclosure in the Presence of a Public Institution’s Logo: A Field Experiment.” Translated by L. Carey-Libbrecht. Réseaux 189 (1): 123–49.10.3917/res.189.0123Search in Google Scholar

Fan, H., and L. Gu. 2021. “Exploring the Balance: The Practical Dilemmas and Revisions of the Informed Consent Principle in Privacy Protection.” Journal of Journalism and Communication 2 (70–85): 127–8.Search in Google Scholar

Faridoon, A., and T. Kechadi. 2023. “Data Behind the Walls – An Advanced Architecture for Data Privacy Management.” 2022 International Conference on Computational Science and Computational Intelligence (CSCI): 922–8.10.1109/CSCI58124.2022.00165Search in Google Scholar

Floridi, L. 2006. “Four Challenges for a Theory of Informational Privacy.” Ethics and Information Technology 8: 109–19. https://doi.org/10.1007/s10676-006-9121-3.Search in Google Scholar

Goffman, E. 1959. The Presentation of Self in Everyday Life. New York: Doubleday.Search in Google Scholar

Hu, W. 2018. “The Conception of Defining Sensitive Personal Information in China.” China Legal Science 5: 235–54.Search in Google Scholar

Jenkins, H. 1992. Textual Poachers: Television Fans & Participatory Culture. New York: Routledge.Search in Google Scholar

Ji, L. 2018. “On the Normative Reconstruction of the Consent Requirement in Personal Information Utilization.” Library 12: 85–91.Search in Google Scholar

Kant, I., J. B. Schneewind, M. Baron, and S. Kagan, eds. 2002. Groundwork for the Metaphysics of Morals. New Haven: Yale University Press.Search in Google Scholar

Kim, T., and B. R. Routledge. 2020. “Why a Right to an Explanation of Algorithmic Decision-Making Should Exist: A Trust-Based Approach.” Business Ethics Quarterly 32: 75–102. https://doi.org/10.1017/beq.2021.3.Search in Google Scholar

Lambert, É., and J. Smolinski. 2024. “Governing Consumer Information in the Digital Age: Lessons from a Controversy Between a Food Rating App and Processed Meat Manufacturers.” International Journal of Digital Law and Governance 1 (2): 245–68. https://doi.org/10.1515/ijdlg-2023-0005.Search in Google Scholar

Li, Y. 2015. “A Legal and Economic Analysis of Personal Information Rights Protection and Its Limitations.” Legal Forum 3: 46.Search in Google Scholar

Li, J., X. Cai, and L. Cheng. 2023. “Legal Regulation of Generative AI: A Multidimensional Construction.” International Journal of Legal Discourse 8 (2): 365–88. https://doi.org/10.1515/ijld-2023-2017.Search in Google Scholar

Lin, H. 2018. “The Dilemma and Solution of the Informed Consent Principle in Personal Information Protection.” Journal of Beijing University of Aeronautics and Astronautics (Social Sciences Edition) 31 (3): 13–21.Search in Google Scholar

Liu, B., and S. Hua. 2023. “Research on the Improvement Path of Algorithmic Right to Be Informed in China.” Sino-Arab Science and Technology Forum (Chinese & English) 10: 143–7.Search in Google Scholar

Mangiò, F., A. Davide, and P. Giuseppe. 2020. “Hands off My Data: Users’ Security Concerns and Intention to Adopt Privacy-Enhancing Technologies.” Italian Journal of Marketing 2020: 309–42. https://doi.org/10.1007/s43039-020-00017-2.Search in Google Scholar

Marwick, A., and D. Boyd. 2014. “Networked Privacy: How Teenagers Negotiate Context in Social Media.” New Media & Society 16 (7): 1051–67, https://doi.org/10.1177/1461444814543995.Search in Google Scholar

Megan, R., and H. Deng. 2025. “Clarifying the Concept and Judging Elements of ’Specific Identity Information’ in the Context of Data Governance.” Journal of Chongqing University of Posts and Telecommunications (Social Science Edition) 37 (1): 33–43.Search in Google Scholar

Mills, K. 2022. “Consent and the Right to Privacy.” Journal of Applied Philosophy 39 (4): 721–35, https://doi.org/10.1111/japp.12592.Search in Google Scholar

Mugadza, K., and M. Gwamaka. 2023. “Online Platform Privacy Policies: An Exploration of Users’ Perceptions, Attitudes, and Behaviours Online.” South African Computer Journal 35: 78–96, https://doi.org/10.18489/sacj.v35i2.17443.Search in Google Scholar

Neuwirth, R. J. 2024. “The Global Institutional Governance of AI: A Four-Dimensional Perspective.” International Journal of Digital Law and Governance 1 (1): 113–53. https://doi.org/10.1515/ijdlg-2024-0004.Search in Google Scholar

Ni, Y. 2019. “The Theoretical Evolution and Conceptual Reconstruction of Privacy Rights in U.S. Law: An Analysis Based on the Theory of Contextual Integrity and Its Implications for Chinese Law.” Politics and Law 10: 149–61.Search in Google Scholar

Ning, Y. 2021. “The Legal Standards and Scope Definition of Sensitive Personal Information: Centered on Article 28, Paragraph 1 of the Personal Information Protection Law.” Comparative Law Research 5: 33–49.Search in Google Scholar

Nissenbaum, H. 2010. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford: Stanford University Press.10.1515/9780804772891Search in Google Scholar

Oh, J., J. Hong, C. Lee, J. Lee, S. Woo, and K. Lee. 2021. “Will EU’s GDPR Act as an Effective Enforcer to Gain Consent?” IEEE Access 9: 79477–90. https://doi.org/10.1109/access.2021.3083897.Search in Google Scholar

Petronio, S. 2002. Boundaries of Privacy: Dialectics of Disclosure. Albany: SUNY Press.10.1353/book4588Search in Google Scholar

Rao, A., and J. Pfeffer. 2020. “Types of Privacy Expectations.” Frontiers in Big Data 3: 7, https://doi.org/10.3389/fdata.2020.00007.Search in Google Scholar

Reichheld, F. F., and S. E. Phil. 2000. “Loyalty: Your Secret Weapon on the Web.” Harvard Business Review 78 (4): 105–13.Search in Google Scholar

Schauer, F. 1978. “Fear, Risk and the First Amendment: Unraveling the Chilling Effect.” Harvard Law Review 90 (4): 693–732.Search in Google Scholar

Simmel, G., eds. 2011. The Philosophy of Money. London: Routledge.10.4324/9780203828298Search in Google Scholar

Stuart, A., A. K. Bandara, and M. Levine. 2019. “The Psychology of Privacy in the Digital Age.” Social and Personality Psychology Compass 13 (11): 1–13. https://doi.org/10.1111/spc3.12507.Search in Google Scholar

Sun, J. 2017. “Research on Fan Consumption and Fan Economy.” Contemporary Economy 34 (20): 68–9.Search in Google Scholar

Sun, Q. 2022. “The Special Institutional Logic and Regulatory Strategies for Sensitive Personal Information Protection.” Administrative Law Review (1): 119–30.Search in Google Scholar

Sun, J., H. Zhang, and Y. Li. 2021. “Digital Literacy and Privacy Awareness: A Study on E-Commerce Platforms in China.” Journal of Cyber Security 15 (2): 102–18.Search in Google Scholar

Tajfel, H., and J. Turner, eds. 2001. “An Integrative Theory of Intergroup Conflict.” In Intergroup Relations: Essential Readings, 94–109. New York: Psychology Press.Search in Google Scholar

Turner, J., and P. Oakes. 1986. “The Significance of the Social Identity Concept for Social Psychology with Reference to Individualism, Interactionism and Social Influence.” British Journal of Social Psychology 25 (3): 237–52. https://doi.org/10.1111/j.2044-8309.1986.tb00732.x.Search in Google Scholar

Wagner, A., and A. Matulewska. 2023. Research Handbook on Jurilinguistics. Cheltenham: Edward Elgar Publishing.10.4337/9781802207248Search in Google Scholar

Weng, X., and Y. Lian. 2024. “Investigation and Protection of Social Media Users’ Privacy Behavior.” Operations Research and Fuzzology 14 (2): 625–33. https://doi.org/10.12677/orf.2024.142165.Search in Google Scholar

Zhang, X. 2022. “Personality Rights in Public Law: A Conceptual Perspective.” Journal of East China Normal University (Philosophy and Social Sciences Edition) 54 (1): 69–81, https://doi.org/10.16382/j.cnki.1000-5579.2022.01.007.Search in Google Scholar

Zhang, H. 2023. “From the Personality Rights Section of the Civil Code to the Personal Information Protection Law.” Seeking Truth 1: 175–86.Search in Google Scholar

Xuan, C., X. Wang, Z. Li, and F. Hou. 2023. “The Effect of Privacy Policy Transparency on Users’ Willingness to Use Social Platforms in Chinese Context.” Journalism University 6: 72–83, 119.Search in Google Scholar

Zhang, X. 2019. “Personal Information Collection: Limitations on the Application of the Informed Consent Principle.” Comparative Law Research 6: 1–20.Search in Google Scholar

Zhang, X., and B. Li. 2019. “Trust and Risk Perception: An Empirical Study on Factors Influencing Privacy and Security in Social Networks.” Modern Communication 41 (2): 153–8.10.1155/2019/2964673Search in Google Scholar

Zhao, Y., and Y. Guo. 2024. “Liability Regulation on Short Video Platforms: Balancing Freedom of Expression and Copyright Protection.” International Journal of Legal Discourse 9 (2): 313–38. https://doi.org/10.1515/ijld-2024-2014.Search in Google Scholar

Zheng, X., and J. Tan. 2022. “Identity and Performance: A Study of Fan Culture in the Internet Age.” Social Sciences in China Review (1): 128–37.Search in Google Scholar

Zhu, H., M. Zhang, and Y. Lu. 2018. “An Empirical Study on Social Media Users’ Willingness to Read Privacy Policies.” Journal of the China Society for Scientific and Technical Information 4: 362–71.Search in Google Scholar

Received: 2024-10-20

Accepted: 2025-03-10

Published Online: 2025-04-25

Published in Print: 2025-04-28

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

https://doi.org/10.1515/ijdlg-2025-0001

Keywords for this article

personal data; social media platforms; informed consent mechanism; privacy; online behavioral data; contextual integrity

Creative Commons

BY 4.0