Every search, click, and scroll is logged, analysed, and sold. The business model of the digital age is built on your behaviour, and most of us have barely begun to understand what that means.
The phrase ‘if you’re not paying for the product, you are the product’ has been circulating on the internet since at least 2010. It has become so familiar as to have lost its power to disturb. But the reality it describes has grown dramatically more sophisticated, more invasive, and more consequential than that pithy formulation suggests. What is now being extracted from users of digital services is not merely attention, as the early critics of advertising-funded media suggested. It is something more intimate and more valuable: behavioural data, at scale, in real time, used to predict and shape human action.
The scholar Shoshana Zuboff, whose 2019 book The Age of Surveillance Capitalism provided perhaps the most thorough account of this phenomenon, describes it as a new economic logic in which human experience is the raw material for prediction products sold to business customers. The goal of the system, she argues, is not merely to understand what you will do next, but to nudge you towards doing what is most commercially useful. This is not advertising as the 20th century knew it. It is something qualitatively different.
What Is Actually Being Collected
Most people are aware, in a general way, that digital services collect data about them. Fewer have a clear picture of the granularity and breadth of what is collected. Your smartphone, for instance, may share your location data with hundreds of third-party companies, many of which you have never heard of. Your period-tracking app may sell your fertility data to insurance or pharmaceutical companies. Your smart TV logs what you watch and when you pause, and shares that information with advertising networks. Your supermarket loyalty card creates a detailed record of your dietary habits, health conditions, and financial pressures, which can be inferred from your purchasing patterns.
Data brokers (companies whose entire business model consists of aggregating, packaging, and selling personal information) operate almost entirely outside of public awareness. Companies like Acxiom and Experian hold records on hundreds of millions of individuals, containing thousands of data points per person: not just name and address, but inferred religion, political affiliation, mental health status, relationship difficulties, and financial vulnerability. This data is sold to anyone willing to pay for it, including employers, landlords, and political campaigns.
Data brokers hold records on hundreds of millions of individuals. Not just name and address, but inferred religion, political affiliation, mental health status, and financial vulnerability.
The Unequal Exposure to Surveillance
Surveillance capitalism does not affect all people equally. Those with less purchasing power are typically exposed to more aggressive forms of data extraction; because poorer users are more likely to use free services funded by advertising, less likely to use privacy tools like VPNs, and more likely to have their data processed for predatory targeting. Predatory lenders, for-profit educational institutions, and payday loan companies are among the heaviest buyers of data on financially vulnerable consumers. The system does not merely observe inequality; in many cases, it actively deepens it.
Racial and ethnic minority communities have faced particular harms. Research has documented the targeting of Black communities with misleading financial products through social media advertising, the use of predictive data models in ways that replicate housing discrimination, and the deployment of surveillance technologies, including facial recognition and social media monitoring, disproportionately in lower-income and majority-minority neighbourhoods. The data infrastructure of surveillance capitalism was built without adequate consideration of these differential impacts, and its effects continue to reflect that.
The Regulatory Landscape: Progress and Its Limits
The European Union’s General Data Protection Regulation, which came into force in 2018, represents the most ambitious attempt so far to rein in data extraction. It grants individuals rights over their data (including the right to access, correct, and delete it) and imposes significant penalties on companies that violate its provisions. Enforcement has been uneven, with the Irish Data Protection Commissioner, responsible for policing many of the major US tech companies’ EU operations, regularly criticised for moving too slowly. But GDPR has set a global standard, and its influence is felt far beyond Europe.
In the United States, the regulatory picture is more fragmented. There is no comprehensive federal privacy law, though several states (California most prominently, with its Consumer Privacy Act and Privacy Rights Act) have introduced significant protections. The United Kingdom’s post-Brexit data protection framework broadly mirrors GDPR, though its future direction under successive governments has been a source of ongoing debate.
What You Can Actually Do
Individual action cannot substitute for systemic reform, and it is worth being clear-eyed about that. The data collection architecture of the modern web is designed to be difficult to opt out of, and the burden of doing so falls almost entirely on the individual. That is a design choice, and it should be a political one.
Within those constraints, there are meaningful steps. Using a privacy-focused browser and search engine (Firefox with uBlock Origin, or Brave, or DuckDuckGo) significantly reduces tracking. Auditing app permissions regularly, being sceptical of ‘free’ services that require extensive personal information, and using a password manager to maintain distinct identities across services all help. In the UK and EU, you have the right to request that companies holding your data tell you what they have and delete it.
But the deeper change required is political. The regulation of surveillance capitalism is a public policy question of the first order, as significant, in its potential consequences for human autonomy and democracy, as the regulation of financial markets or environmental pollution. It requires engaged citizens, effective regulators, and politicians who understand what they are regulating. At the moment, we are some distance from all three. But the conversation is beginning. And knowing what is at stake is where it starts.