What lawyers and business leaders miss when they think about “privacy "and why it costs them.
This article is adapted from The Privacy Filter podcast series, a Barnes & Thornburg briefing on data security and privacy. To subscribe to The Privacy Filter, click here.
This article draws on a candid roundtable discussion between graduate students across Gen Z, Millennial, and Gen Alpha-adjacent cohorts. The conversation surfaces something that surveys and focus groups often miss: how data privacy functions in people’s daily lives, in their own words.
When lawyers think about protecting users, they often default to thinking about data breaches, consent mechanisms, and the various consumer privacy rights. When their clients’ users actually think about privacy, and they do think about it, they’re asking something else entirely: What's most convenient, and what's the worst case if my activity gets out? What will this reveal about me to the people in my life?
That gap is not a communications problem. It’s a design problem, a compliance problem, and increasingly a liability problem.
One Gen Z participant put it plainly: for her peers, traditional online privacy — who has your data, what a company does with it — registers far less urgency than social exposure. “It’s more about the social aspect,” she said.
The Two Definitions of Privacy
Privacy law, especially the regimes lawyers and businesses operate under every day, is built on a data-centric model. Information gets collected, stored, shared, and sometimes misused by institutions, and the law's job is to give you control over that flow. Manage the data, the thinking goes, and you've protected the privacy. Scholars have pushed back on this framing for decades. But in practice, the data-control logic still runs the room.
Your users, particularly younger ones, are operating on a different model. For them, the primary privacy threat isn't the corporation holding their location data. It's the friend who might weaponize it. The embarrassing video that circulates in a group chat. The family member who finds out something they weren't supposed to know.
One student put it plainly: Gen Z doesn't reject the concept of privacy. They apply it differently. Corporate data collection registers as ambient and distant. Social exposure registers as immediate and real.
The implication for attorneys and product teams is uncomfortable. Privacy disclosures built around institutional data use don't land with users worried about peer-level exposure. You're answering a question they weren't asking.
Several participants noted that the anonymity of institutional data collection actually reduces perceived risk. A stranger at a company having your data feels less threatening than a person in your social circle having it.
The Features You Designed for Safety Are Being Used for Control
Platforms built real-time location features as convenience tools, finding nearby friends, coordinating arrivals. The roundtable revealed something more complicated in practice.
Among Gen Z users, continuous location sharing has become a social norm, not a deliberate choice. In many peer groups, the expectation is that close friends, and sometimes new acquaintances, share their location at all times. Opting out reads as a statement: ”I have something to hide.”
Every privacy control you built into the product carries a social cost your team probably never modeled. Stop sharing, revoke access, and limit visibility: each one also functions as a social signal. One student told us her friend group regularly checks the footstep-tracking feature on a popular app, not as a safety measure, but to catch friends in stories that don't add up.
This is not a misuse edge case. It is normal use. And it has real implications:
- Consent obtained in a social environment charged with implicit expectations may not be meaningful consent.
- Features designed for transparency (notifications when someone stops sharing) become instruments of social pressure.
- The platform bears reputational exposure when its tools are used for what users themselves describe as “stalking behavior.”
Participants described stop-sharing notifications as socially loaded events — not neutral privacy choices but implied statements about the relationship. Exercising a privacy right, in practice, requires a social explanation.
The Illusion of Privacy Is a Product Decision
Snapchat’s foundational promise, images that disappear, with notifications if someone screenshots them, is a case study in what happens when a platform sells the feeling of privacy rather than the reality of it.
Multiple students described in detail how screenshot notifications were routinely circumvented: airplane mode workarounds, secondary devices, tab-switching exploits. More concerning, they described how the illusion of ephemerality made younger users, minors, in many cases, comfortable sharing content they would not have shared otherwise. When that content circulated, the platform’s notification system provided no meaningful recourse.
The lesson is not specific to Snapchat. It applies to any product that signals privacy protection it cannot actually deliver. Lawyers advising on product design should ask a harder question than “Does this feature comply with our privacy policy?” The more important question is: “Will users understand what this feature actually does and what it doesn’t?”
AI's Snapchat Issue
The same dynamic, privacy-feeling products that don’t deliver privacy is now playing out with AI assistants.
Students described their social circles using AI chatbots as confidants: sharing health information, personal secrets, relationship problems. Not because they thought the data was secure, but because the interface feels private. You’re alone with a screen. No one is watching.
One student highlighted a viral moment: OpenAI’s "Wrapped" feature, which generated year-end summaries of what users had shared with ChatGPT. Many users were startled by how specific and accurate those summaries were. They had forgotten what they’d disclosed or hadn’t thought about it accumulating into a profile.
For privacy attorneys and compliance officers, this raises questions that are not yet fully answered by existing frameworks:
- Are users providing informed consent when they share sensitive personal information with a model that will train on it?
- What disclosure obligations exist when a product is functionally used as a therapist or physician by a material portion of its user base?
- As AI companies add persistent memory and personalization features, at what point does conversational data become a health record, a financial record, or something else the law already has a view on?
The fact that users are not currently demanding stronger protections does not reduce exposure. It may increase it because the gap between what users assumed and what actually happened is where litigation and regulation tend to originate.
Privacy as Currency: The Trade-Off Your Clients Are Enabling
Perhaps the sharpest observation from the roundtable was this: younger users have largely accepted that personal data is a currency, exchangeable for convenience or social relevance. They aren't ignorant of the trade. They've just concluded that opting out costs more than opting in.
This is not apathy. It is a rational response to a system that provides little meaningful choice. As one student put it: “What’s the point of worrying about this? What am I going to do?”
That attitude is convenient for platforms and frustrating for regulators. But lawyers advising businesses should not mistake user resignation for user permission. Several dynamics can convert resigned acceptance into active grievance quickly:
- A high-profile breach or leak that makes the abstract concrete.
- Social harm that can be traced to data a user didn’t realize was collected.
- A generation that has grown up sharing everything entering adulthood and beginning to reckon with what that means.
The Deloitte data cited in the roundtable is instructive. Gen Z experiences identity theft, account hacking, and online scams at higher rates than older cohorts. They're already living with the downstream consequences of permissive data sharing. The question isn't whether they'll demand better. It's when.
What to Do With This
None of this requires abandoning current compliance frameworks. It requires supplementing them with a clearer picture of how users actually behave. A few practical applications:
For Product Counselors and Privacy Attorneys
- Audit social features for coercive consent dynamics. If using a privacy control (stopping location sharing, removing a close-friends follower) creates social consequences, that is a design risk.
- Flag the gap between communicated and actual privacy protections. Courts and regulators are increasingly focused on reasonable user expectations, not just literal policy terms.
- Start building frameworks for AI disclosure that reflect actual use patterns, including therapeutic and medical use cases.
For Compliance and Business Leaders
- User research for privacy features should include qualitative data on social dynamics, not just preference surveys.
- The absence of user complaints isn't a signal that privacy practices are acceptable. It may be a signal that users feel they have no recourse.
- There's a quiet assumption in a lot of compliance work: users won't care until a major, visible harm occurs. Call it the 'dead body' threshold. It is not a defensible posture. It is a description of how regulatory and litigation pressure tends to arrive.
Watch the Full Episode
Watch to the full episode for more consumer insights and perspectives.
To subscribe to The Privacy Filter, click here.
/Passle/67337b9db95e96d83645bccf/SearchServiceImages/2026-04-30-17-16-38-542-69f38e76ce219d66900779cc.jpg)
/Passle/673b7187983090b59d166389/SearchServiceImages/2026-03-06-21-16-02-430-69ab4412fd648d554d7075e6.jpg)
/Passle/673b7187983090b59d166389/MediaLibrary/Images/2026-03-05-18-22-56-426-69a9ca00ed43be71de59e29d.jpg)
/Passle/67337b9db95e96d83645bccf/SearchServiceImages/2026-01-30-19-04-11-166-697d00ab31405d9dcba594e5.png)