Data Privacy Week And the Illusion of Choice

Data Privacy Week is one of those calendar moments that risks fading into the background. Another awareness campaign. Another reminder to update passwords, skim a privacy policy, and move on.

But this year lands at a moment when the definition of “privacy” itself is being stretched—and in some cases complete and not-so-subtly rewritten.

Data Privacy Week runs January 26–31, culminating in Data Privacy Day on Wednesday, January 28. Led by the National Cybersecurity Alliance, the goal is simple in theory: help people and organizations understand, value, and take control of their data. In practice, that’s getting harder by the day.

Privacy risks no longer require a breach

For a long time, data privacy conversations revolved around breaches. Attackers broke in. Data was stolen. Fix the security gaps and the problem goes away.

That framing no longer fits reality.

Most people are still worried about threat actors—whether their credit card number was exposed, whether a breach notification will show up in their inbox, or whether their data might be floating around on the dark web.

Meanwhile, the real privacy risk isn’t sneaking in through the back door.

Organizations like DOGE and Palantir didn’t hack their way into anything. They walked in through the front door, with authorization, contracts, and legal cover—accessing vast amounts of personal data with near-total impunity to help build a massive surveillance architecture.

Today, the most significant privacy risks are authorized. Data is collected deliberately, retained indefinitely, enriched with other datasets, and analyzed by increasingly powerful AI systems. No hacker required. No breach notification triggered. Privacy erosion happens quietly, legally, and at scale.

By the time anyone realizes what that data can be used for, the infrastructure is already in place—and the consent conversation is long over.

TikTok highlights the new reality

Recent changes to TikTok’s U.S. privacy policy are a useful case study. TikTok has always collected a vast amount of information, but the updated language is more explicit about the scope of data it may gather and how that data may be used, shared, or reused.

None of this is unique to TikTok. What is different is the scale, the opacity, and the fact that AI can turn yesterday’s seemingly harmless data into something far more revealing tomorrow.

That context matters when you look at how the United States has handled TikTok. The platform was pressured to sell itself to U.S.-approved buyers—or face an outright ban. The justification was framed as national security: concern over the scope and scale of data potentially accessible to Chinese interests.

But this was never about limiting data collection or protecting user privacy.

The data was always going to be collected. The only real question was who would be doing the collecting.

Rather than drawing a line around excessive data harvesting, the message was clear: the problem wasn’t surveillance—it was foreign surveillance. The solution wasn’t restraint. It was transferring control of one of the largest consumer data pipelines in the world to domestic tech oligarchs instead.

From a privacy perspective, that’s not a win. It’s a reshuffling of power. And it reinforces a pattern we see again and again: privacy concerns are often invoked not to reduce data exploitation, but to decide who gets privileged access to it.

Once you see that dynamic, TikTok isn’t an outlier. It’s a preview.

Consent has become mostly symbolic

Modern privacy frameworks lean heavily on consent, but consent has become performative. Privacy policies are long, vague, and designed to protect organizations, not inform users. Clicking “Accept” is no longer a decision—it’s muscle memory.

Data Privacy Week challenges that complacency. Not by asking people to read every policy line by line, but by encouraging more basic questions: Why is this data needed? How long is it kept? Who else gets access? And what happens if I say no?

Those questions matter even more when the data collection isn’t optional.

My disappointment with Apple and Tim Cook

I’ve always put Apple on a pedestal—naively, I admit it. I believed Apple would take a stand where others wouldn’t. I saw Tim Cook as someone who stood for values, not just profit.

Lately, that belief feels outdated.

Instead of speaking out when it mattered, Apple has largely capitulated to the same pressures that warp privacy norms across Silicon Valley. And when federal agents fatally shot civilians in Minneapolis—most recently the killing of a 37-year-old ICU nurse, Alex Pretti, by a federal agent during an immigration enforcement surge and the earlier shooting of Renee Good, a U.S. citizen and mother—the tech leadership silence was deafening.

Rather than publicly condemning the use of lethal force and speaking up for civil liberties, Tim Cook joined other wealthy elites in attending a screening of a Melania Trump documentary. That choice says a lot about where Apple’s priorities now lie.

Should I abandon my iPhone? Well, yes. But what is the alternative? As Kara Swisher noted, the only other practical option is Android—and the Google founders are often just as complicit as Cook and Apple. I trust Google with my data far less than Apple’s ecosystem, but in terms of public accountability, the difference feels marginal at best.

Border security meets data maximalism

These privacy questions extend beyond Silicon Valley into government policy.

Brian Krebs highlighted that proposed changes to U.S. Customs and Border data collection practices would dramatically expand the amount of personal information required from travelers entering the United States — demanding years’ worth of identifiers, online accounts, and biometric information as a condition of entry.

From a security perspective, the argument is that this data improves vetting. From a privacy perspective, it’s a dramatic expansion of state-collected personal data—much of it unrelated to immediate security needs.

Unlike a social media app, there is no meaningful opt-out here. Consent is implied by travel.

Why this matters beyond the border

The concern isn’t just the initial collection. It’s retention, secondary use, sharing across agencies, and long-term exposure. Large, centralized repositories of sensitive data become attractive targets. They also become tempting assets for purposes far beyond their original intent.

Once DNA, biometric identifiers, and long-term communication histories are collected, they can’t be “unshared.” And as analytics capabilities improve, old data gains new meaning.

Data Privacy Week is supposed to prompt reflection. These proposals force a harder question: where does security end and surveillance begin?

Privacy is about agency, not secrecy

Privacy isn’t about hiding. It’s about control—knowing what data is collected, why, and under what constraints. When individuals lose agency over that process, privacy becomes theoretical.

This year, Data Privacy Day shouldn’t just be about personal hygiene like password managers and two-factor authentication. It should be about recognizing how quickly data collection norms are shifting—by corporations and governments alike—and deciding what lines shouldn’t be crossed.

Awareness is only the first step. Accountability and restraint are the harder parts. And there is a very problem that the horse has already left the proverbial barn and we are debating the best way to close the barn doors. Once data is collected, it’s already too late to ask whether it was necessary in the first place.