You Clicked ‘I Agree’- But Did You Really Agree?
The first Chiya Chautari of Daayitwa Nepal Public Policy Fellowship 2026 threw a simple question to the room: what do we think about AI?
Tulasa Neupane,6th July,2026,
The first Chiya Chautari of Daayitwa Nepal Public Policy Fellowship 2026 threw a simple question to the room: what do we think about AI? This question split the room into two camps. One side embraced AI for what it delivers in a few hours what once took four to five days. On the other there were those whose concern was the cost of that convenience including data security, data control, and ethical usage.
As a legal scholar with a growing interest in AI governance, my concern is more stubborn and specific. When a person clicks a ‘I Agree’ button to the pop-up terms and conditions of an application, what are they actually agreeing to? Do they really have the autonomy over their own data? Who is responsible for making sure they understood the terms and conditions and its implications? What legal framework exists to protect them if that understanding was never really there? What is the guarantee of users’ data safety?
These questions took me back to an incident I first came across a few years ago.
The Unconscious Click
In 2013, Aleksandr Kogan, a psychologist at Cambridge University, developed an application for a personality quiz called “This is Your Digital Life.” The test application was free, interesting, fun, and the quiz could be completed in about five minutes. Around 270,000 Facebook users clicked “Allow” button without knowing what that click actually permitted and its implications. The users were unknowingly allowing not only their own data but also the data of every friend on their list. It was revealed much later that the personal data of approximately 87 million Facebook users had quietly passed into the possession of political consultancy company Cambridge Analytica. That data was used to build psychological profiles. The profiles were used to target voters. As per Christopher Wylie, a former director of research at Cambridge Analytica and primary whistleblower, these voters influenced the outcome of the 2016 US Presidential election and the Brexit referendum.
All of this happened because an ordinary user who saw no harm in clicking ‘I Agree’ without reading the terms and conditions. I begin with this incident not to discuss a distant scandal; however, this is also about us. About what happens when an individual and a State ignore the power of data.
What is Data Awareness?
Let me be clear about something. Data awareness does not mean an individual’s ability to code or build algorithms or becoming a cybersecurity expert. It means something more fundamental: a conscious decision. It means the understanding that every click, every scroll, every form we fill, every app we download and use generates data about the users i.e., us. And that data, once generated, travels in ways we cannot see.
We have all heard that ‘data is the new oil.’ Let me offer a more honest metaphor: ‘data is the new property.’ Data is a record of user’s life. Where you went, what you feared, what you searched for when no one is watching. It deserves the same seriousness we give to any other right.
In digital space, there is no boundary. Someone can walk in and take what they want, and the user, the actual owner of the data, may never know what has happened and if they do notice, the user may think this is just how we should behave in this digital age.
This resignation is exactly what companies count on.
The AI Dimension: Why This Matters Even More now
AI systems do not think from scratch. They learn from the data users submit to them. A vast quantity of data, most of which was generated by ordinary people going about their ordinary lives: searching the web, sending messages, making purchases, applying for loans, and sharing personal emotions. When that data is collected without awareness, it gets used to train models that make decisions about users’ lives.
The risk is not theoretical. In 2023, a ChatGPT system glitch exposed chat histories of certain users to other users. This is a vivid reminder that even the world’s most advanced AI systems can leak data. Stanford’s 2025 AI Index Report found that trust in AI companies to protect personal data had fallen from 50% in 2023 to 47% in 2024 demonstrating a steady and consistent erosion.
Nepal is Not Immune
Nepal is a country of over 30 million people, experiencing rapid growth in the number of users who have access to internet and the digital space. Facebook remains the dominant social media platform. Millions of Nepalis use dozens of apps that collect their personal, financial, and behavioural data daily. Data breaches from companies like eSewa, Vianet, Yango, inDrive and Foodmandu have already been reported in Nepal. And yet Nepal has no dedicated data protection regulation and authority.
In September 2024, a case came before the honourable Supreme Court when Nepal Telecom attempted to procure a new billing system, a Convergent Real Time Billing (CRTB) system through a process that critics alleged could expose sensitive customer data to foreign vendors. Petitioner Rita Karki challenged the procurement, citing data breach risks. A bench of Justices Dr. Nahakul Subedi and Mahesh Sharma Paudel ruled that unauthorised data access constitutes a serious rights violation and directed Nepal Telecom to ensure privacy safeguards. The court was unambiguous and reiterated that data privacy is not a technical issue rather it is a constitutional one.
Yet, our legal framework has not caught up.
The Gaps Are Real
There are critical gaps in existing laws on data regulation and data protection. Nepal has no dedicated data protection authority. The Privacy Act 2018 does not define basic terms like data processor or data subject. There is no mandatory breach notification requirement. If user’s data is compromised, the company holding it has no legal obligation to tell the user. The law does not cover IP address, cookies, or online identifiers, the fundamental blocks of data governance. Despite releasing National Artificial Intelligence (A.I.) Policy 2025, there is lack of a comprehensive regulation that supports user’s autonomy and democratic accountability. This gap exposes zero data accountability mechanism in Nepal.
Here, two main problems meet. Because when the law does not protect, the only thing standing between user’s data and those who want it, is the moment before the click. Yes, sometimes that is too much weight to place on but until the legal framework catches up, that conscious moment is all the we have. Which is why both things need to happen simultaneously: users who are using digital space, technology, AI, and apps need to become more aware and the State needs to make that awareness matter by giving it legal teeth.
So, next time you see that “I Agree” button, just pause for a moment, read the terms and conditions, and ask what you are agreeing to. Because that click is rarely just a click.