Surveillance by Terms of Service: What You Agreed To

In this article:

• What Do SaaS Data Clauses Actually Authorize in Plain Language
• Why Does Clicking Agree Not Constitute Informed Consent
• What Would You Decide Differently If You Read the Terms First
• Frequently Asked Questions
• What do SaaS terms of service actually say about your data?
• Is clicking agree on a SaaS terms of service legally meaningful consent?
• What should you look for in SaaS terms of service before signing up?
• References

Surveillance by terms of service is the mechanism by which platforms obtain legal authorization for data practices that users would not consent to if those practices were described plainly. The terms of service are the legal architecture of surveillance capitalism. They are designed to be accepted without being read.

The data processing clauses in standard SaaS terms of service typically include provisions that authorize the platform to collect usage data, to use aggregated and anonymized data for product development and market analysis, and to share data with third parties under defined conditions. The provisions are accurate. They describe what the platform actually does. They are written in legal language that obscures the operational meaning of what is being authorized.

Collected usage data means behavioral surveillance: which features you use, when, how often, and in what sequences. Used for market analysis means your operational intelligence contributes to the platform's competitive intelligence products. Shared with third parties means the conditions under which your data leaves the platform are defined by the platform, not by you.

Zuboff's analysis of surveillance capitalism identifies the consent problem as structural, not incidental. Terms of service are not designed to produce informed consent. They are designed to produce legal authorization for practices that informed consent would refuse. The length, the legal language, and the click-to-agree mechanism are features of a system optimized for authorization, not understanding.

A business that clicked through a SaaS terms of service agreement without reading it did not consent to surveillance in any meaningful sense. It provided the legal authorization the platform needed to conduct surveillance. Those are different things.

Reading the actual terms of major SaaS platforms reveals a consistent pattern: broad data collection authorization, aggregated data use provisions that cover competitive intelligence, and third-party data sharing conditions defined unilaterally by the platform. The surveillance architecture is described in plain text. The description is just buried in language optimized for acceptance rather than comprehension.

The business that reads its SaaS terms of service and understands what it has authorized is in a position to make a different decision. Most have not read them. The platforms are aware of this.

Standard SaaS terms authorize: collection of all usage data generated while using the platform, use of aggregated and anonymized data for product development and market analysis, and sharing of data with third parties under conditions the platform defines unilaterally. These are standard clauses in most major SaaS agreements, not edge cases.

Legally, yes. Courts have generally upheld clickwrap agreements. Meaningfully, no. Zuboff's analysis identifies the consent problem as structural: terms of service are designed to produce legal authorization for practices that informed consent would refuse, not to produce informed consent.

Look specifically for these four clauses:

• The data use clause: defines how your operational data can be used beyond service delivery, including whether it feeds into market intelligence or AI training
• The aggregation clause: authorizes using your data in aggregate with other customers' data, effectively making your usage patterns part of the platform's competitive intelligence
• The third-party sharing clause: defines who else receives your data and under what conditions
• The data retention clause: defines what happens to your data after you cancel and how long you have to retrieve it

Zuboff, Shoshana. The Age of Surveillance Capitalism. PublicAffairs, 2019.

Electronic Frontier Foundation. eff.org.

Zuboff, Shoshana. "You Are Now Remotely Controlled." The New York Times. January 2020.