The Cost of Free Data: How Data Subjects Unknowingly Trade Privacy for Convenience

Introduction

Mobile internet penetration in Nigeria continues to grow, with the country boasting a population of approximately 123 million internet users and a reported penetration rate of 55%. Generally, this is a positive development; however, internet penetration in Nigeria presents its unique challenges. One such challenge is the huge cost required to access the internet and the services on the internet. As a result, digital services, such as social media or financial technology services, are typically offered for free or at a very low cost by service providers. However, what many consumers do not realise is that digital services are not entirely free— consumers often pay with something far more valuable: their data.

Every click, search, and online interaction of an internet user is quietly recorded, analysed, and sometimes sold to third parties. Companies track user behaviour, access contacts, and even monitor conversations to tailor advertisements or influence decision-making. Yet, in a country where digital penetration is growing rapidly, few question what happens to their data. What are the risks? Who profits from the use of data? And how much control do consumers have over their personal information?

This gap in awareness is especially concerning when viewed through the lens of global data protection and privacy standards. For instance, in Google Spain SL v. Agencia Española de Protección de Datos (CJEU, 2014), the court recognised the “right to be forgotten,” affirming that individuals have a right to request the removal of personal data from search engines if it is inaccurate, irrelevant, or excessive. 

In this opinion piece, we highlight the unseen cost of “free” digital services, revealing how Nigerian data subjects sometimes unknowingly trade privacy for convenience, and why it is time to start paying attention.

How Companies Collect and Monetise User Data

There is a popular saying: “If you are not paying for the product, you are the product.” Many users of digital platforms interact with different products daily without realising the extent to which their data is being processed by the respective data processors and controllers.  One common example is how over-the-top (OTT) service providers often rely on user data to provide a breakdown of consumers’ use of their service and to evaluate their business’ standing in comparison with their competitors. 

Cookies are one of the most common data collection tools; they track user activity across different websites, allowing companies to build detailed profiles on individuals. Another method of collection is through mobile apps that often request excessive permissions, such as access to messages, call logs, and contacts, even when some of these requested accesses are not necessary for the app’s functionality. For example, a loan app may demand access to a user’s entire contact list, which may lead to aggressive debt collection tactics if payments are missed. 

Once collected, this data is monetised in several ways. The most obvious is through targeted advertising—tech giants like Google and Meta (Facebook) analyse user behaviour to serve personalised ads that increase engagement and sales. Additionally, these companies could sell or share data with third-party advertisers, financial institutions, or even political organisations looking to influence public opinion. This practice raises serious privacy concerns, especially when done without informed consent. For instance, in Lloyd v. Google LLC, the UK Supreme Court addressed mass data collection and emphasised the need for clear, individual consent in handling personal data. Similarly, Nigeria’s Data Protection Act (NDPA) 2023 imposes obligations on data controllers to process data lawfully and securely, outlining the necessity of establishing consent and mandating security measures to prevent data breaches. Yet, in some cases, weak cybersecurity measures still lead to leaks, exposing user information to hackers and fraudsters in direct violation of these legal provisions.

For Nigerian data subjects, the implications are huge. Beyond annoying ads, the misuse of personal data could lead to identity theft, financial fraud, and manipulation through disinformation campaigns. Yet, most people remain unaware of how much they are giving away—and who is profiting from their digital footprint.

The Hidden Cost of Free Data

People are becoming increasingly aware that many digital platforms monetise users’ attention. For instance, Over-The-Top (OTT) platforms like YouTube analyse user behaviour to serve tailored advertisements, effectively transforming attention into a revenue-generating asset. YouTube’s three million monthly users, for example, helped generate nearly €30 billion in revenue, largely from services that users access for free.

While such platforms appear free, they often operate on a data-for-service exchange model. Many apps and services collect personal data—such as browsing habits, location, and even contact lists—without always securing clear and informed consent from users. This opaque data collection process not only raises privacy concerns but may also cross into a breach of consumer protection territory. 

What Should Platform Owners Do?

The Nigerian Data Protection Act (NDPA) 2023 mandates data controllers to ensure that consent for data processing is given freely, specifically, informed, and unambiguous. The NDPA also places an obligation on data controllers and processors to exhibit transparency about the purpose and lawful basis for collecting personal data. Failure to inform to clearly explain how users’ data will be used is a contravention of the provisions of the NDPA and defaulting data controllers or processors will be liable to several penalties under the Act ranging to fines of ₦10,000,000 (ten million naira) or 2% of an organization’s annual gross revenue in the preceding year to other severe penalties prescribed under the NDPA.

To ensure ethical data practices while maintaining user trust, companies—especially those operating in Nigeria—should adopt the following approaches:

1. Have clear and easily understandable privacy policies that outline what data is collected, why, and how it is used.
2. Instead of pre-ticked boxes or vague agreements, businesses should ensure users actively consent to data collection.
3. Adopt a data minimisation approach—only collecting what is necessary for service delivery.
4. Businesses must invest in encryption, secure servers, and cybersecurity frameworks to protect user information from breaches.

Instead of profiting from invasive data collection, companies should explore subscription-based models or anonymous ad targeting that does not track personal information.

What can Data Subjects do to safeguard their data from being exploited?

The NDPA and its extant regulations contain several provisions safeguarding the rights of data subjects. To avoid exploitation of their data, data subjects can take the following steps:

1. Before signing up for any app or online service, ensure to read the privacy policy to understand what data is being collected and how it will be used. Where a product requests excessive permissions, consider alternatives.
2. Many apps request access to contacts, location, microphone, or camera—even when it’s not necessary. Users should manually restrict these permissions in phone settings. For instance, users should ensure to disable location tracking unless it’s required for a specific function. 
3.   Be cautious about free services.
4. Demand accountability from data controllers and processors on their use of your data.

Conclusion

The convenience of free digital services comes at a hidden cost—our data. Although many data subjects unknowingly trade their privacy for easy access to apps, social media, and online platforms, the long-term risks of data exploitation, surveillance, and security breaches cannot be ignored. Data controllers and processors must adopt ethical data practices, ensuring transparency, user consent, and compliance with the NDPA.

At the same time, users must take proactive steps to safeguard their information by limiting app permissions, using strong security measures, and staying informed about their digital rights. Data is the new currency, and in a world where information is power, data subjects must recognise their right to privacy and demand better protection from both corporations and the government.

This article is only intended to provide general information on the subject matter and does not, by itself, create a client/attorney relationship between readers and Hamu Legal or serve as legal advice. 

We are available to provide specialist legal advice on the readers’ specific circumstances when they arise. For further enquiries, please contact our Data Privacy team at awuese@hamulegal.com or team@hamulegal.com.