Your Data is Not Yours
Why personal data should be personal property
Imagine the morning routine of a 29-year-old elementary school teacher in Columbus, Ohio — we’ll call her Tracy — who thinks of herself as “not online.” She doesn’t engage in arguments on Reddit, and her news comes from headlines and friends instead of always-on political podcasts; she rarely, if ever, consciously shares things about herself online. When Tracy wakes up, she briefly checks her phone for the weather and the day’s news, gets dressed, and grabs a coffee before work. After paying for the coffee with her credit card, she enjoys it in the parking lot while scrolling through Instagram, then heads inside to greet her dear students. At lunch, she browses online for a new dress, adds a few to her cart for later consideration, and goes back to the classroom. After work, she watches a recent episode of the latest island-based dating show on her current streaming service, meditates, and goes to sleep.
At no point does Tracy willingly offer any part of herself to another, save for her kindness and knowledge bestowed on her students and colleagues that day. Yet, behind the screen, her “digital twin,” as it is known in the data industry, is busy in the shadowy belly of the internet, selling slices of herself on the data marketplace. Every app, website, and purchase she makes innocuously documents some small piece of herself: search terms, click paths, the device she’s using, the clothes she wants — even the things she doesn’t want, like the articles she scrolls past — aggregating and selling these dossiers to data brokers for pennies. No part of Tracy is off-limits: the media she consumes, the location she buys things in, the profiles of others who walk past her, the type of advertisement she takes just a little longer to skip; it is all recorded, saved, packaged, shipped, distributed, and sold without her knowledge or informed consent.
This profile is then sold and resold to advertisers, insurers, background-check firms, and credit agencies, among others, often fed into computer algorithms to predict, classify, and group her behavior into categories used to target Tracy with what big conglomerates determine people “like her” will buy or believe. Characteristics are inferred from collected data: even if Tracy doesn’t use online health services or a menstrual tracking app (which, by the way, have been caught sharing data), data analysis firms are routinely able to predict correlated behaviors by, for example, counting searches for “luteal phase length” to send her a perfectly-timed ad for family planning services, or promote a particularly infuriating headline to her suggested searches.
Tracy never sees these profiles, nor sees money from them, and cannot track (let alone negotiate with) the dozens of intermediaries recording and trading little bits of her life. Yet her digital twin, a poltergeist brought to life by this data ecosystem, is constantly and continuously used to target ads, determine prices and offerings, and train models that will, in turn, shape what she sees tomorrow.
When the commercial internet took off in the 1990s, personal data was treated as a kind of harmless byproduct that the marketing industry called “clickstream exhaust.” Companies logged page views and search terms for debugging or crude traffic stats, and regulators mostly focused on narrow sectors like health and finance, not on pervasive tracking of everyday life. This changed in the 2000s when, largely due to economies of scale, advertising became the primary business model for the internet. As advertisers demanded higher click-through rates, the previously unused information exhaust was directed towards a growing adtech ecosystem. Data brokers emerged to barrel up this newly tapped reservoir of information and resell it, combining website visitation behavior with transaction data, loyalty programs, loan inquiries, and social media to build “digital twins,” or persistent user profiles for millions of people.
When the 2010s rolled around, this ecosystem had matured into a full surveillance advertising industry, with real-time bidding systems that expose detailed information about you to thousands of firms every time a webpage loads an ad slot. Laws like the GDPR in Europe and CCPA in California put guardrails around this trade by introducing consent banners, access rights, and opt-outs, but leave the underlying business model intact: the commodification of behavior.
The most recent evolution in this consumer panopticon is generative AI. The same user data, now including TikTok videos, voice snippets, and forum posts, is scraped and fed into large models that learn from them at scale, turning humans’ rich individual lives into training data for systems meant to generate new “content” specifically engineered to capture attention, clicks, and dollars, further perpetuating this cycle. Yet in most jurisdictions, there is still no clear recognition that the people whose data underwrites these systems have any ownership claim over it at all; at best, they have procedural privacy rights that are difficult to exercise and easy to route around.
Over the past decade, the dominant answer to data abuse has been more privacy laws and more regulation. Legislation such as the GDPR and CCPA provide important individual rights: to see what information companies have on them, to correct it, and above all, the right “to be deleted.” This is progress, but notice what these laws do not do. They do not allow you to say that your data is yours the way you can about your house, your bank account, or your labor. They do not provide you with the ability to make a clear claim like “you used my data without my permission, you owe me.” Instead, they treat data as something companies are generally allowed to collect and monetize, subject to a set of compliance duties and opt-out mechanisms. In practice, that means the default is still extraction; your rights arrive late, are hard to exercise, and are easy to design around.
A property framing starts from a different place. Much personal data, especially the data you directly hold on your devices and in your accounts, already looks like an asset in the legal sense: it is definable, excludable, economically valuable, and transferable. Recognizing it as such would make explicit what is currently obscured: when a company copies, trades, or uses that data to train models without meaningful consent, it is not just violating an abstract “privacy interest,” it is appropriating something of value that belongs to you.
I am not arguing that privacy law is useless, or that we should replace it with a pure market in data. The point is that privacy law regulates the manner in which firms exploit your data; a property definition questions who should hold the primary entitlement in the first place. Once we say that individuals hold a property claim over their data, it becomes natural to talk about negotiation, licensing, and compensation.
Of course, there are many challenges and critiques of data as property. Critics of data ownership warn that turning personal information into property could backfire. They worry it will create a new market where the rich can afford privacy and the poor are pushed to sell ever more intimate details of their lives, or that the transaction costs of negotiating millions of tiny licenses will entrench the giants who already dominate today’s markets. Others point out that many data points are relational (such as family and community links) and don’t fit neatly into a story of individual ownership. Even when recognizing that data should be property, these critiques remain valid if every individual has the obligation to steward their own data as a shepherd would his herd; this is not the model I am advocating. On the contrary, I take these concerns as reasons to enforce individual rights and protect them the same way one would protect their time and labor.
Specifically, I am advocating for a model that allows individuals to opt in to a “labor market” for their data while protecting those who choose not to participate. Instead of leaving each person with the impossible, expensive task of monitoring hundreds of companies and enforcing their rights one by one, we should match individual autonomy with collective governance: the individual holds the primary claim over personal and behavioral data, which they can pool into a member-owned union and negotiate on fair terms, set red lines, and refuse toxic deals altogether. Property, in this view, is not the end state; it is the legal foundation that empowers the individual and makes meaningful collective bargaining over data possible in the first place.
Three Arguments
To these ends, I propose three main arguments: moral autonomy, economic fairness, and balance of power.
There is, first and foremost, the moral argument for autonomy and identity. As individuals in a modern and empowered society, we each have the inalienable right to self-determination. Our lives are ever more intertwined with “data” such that it no longer records what we do but determines how we do it; it tangibly affects our lives from the news we see, to the purchases we make, to the food we eat. Framing data as merely “information about you” understates the bidirectional relationship we have with it, while treating it as something we own provides clarity to an intuition most people already have. It is wrong to take detailed records of your life, manipulate you with them, and turn a profit without your consent or say in the terms.
Second is the argument of economic fairness. Personal data is now the primary input into a vast ecosystem of targeted advertising, risk scoring, and content generation. This makes it an asset that generates real revenue for firms that harvest and process it. Yet you — the person creating this capital simply by living your life — see none of that value. Property law is how we recognize and organize claims over productive assets; it gives us the vocabulary to return credit to producers. Without a property claim, individuals are not producers; we are raw material.
Last, we must consider the structure of power that surrounds our data. Framing this conversation around privacy focuses only on compliance within existing business models, predicated on the idea that the platforms are producing the data, not extracting it from users. Treating data as property provides a different starting point, giving primary entitlement and leverage to the person instead of the platform intermediating their activity. Once it is established that any further use requires strict permission from the individual, it becomes natural to talk about contracts, licenses, conditions, revocation, and, crucially, about pooling entitlements to negotiate a better deal.
The case for individual ownership of data is clear, though there are limitations that must be analyzed. Like freelance labor, individual management of data is a task that is simply too exhausting for many. Transaction costs, negotiations, invoice follow-ups, and abusive markets would render such a system inoperable at scale. Instead, like-minded individuals can pool resources to build negotiating leverage, set terms, delegate accounting, and reduce costs. Modern technology has never been more adept than now at “democratization,” and the purpose of this project is to provide a direction and platform for efficient data sovereignty.
Like it or not, the world we live in is now one where our lives are defined by data. The question is not whether data will be collected and used, but who it will serve. Sticking our heads in the sand and pretending otherwise only cements a status quo in which others capture value from information drawn out of our lives while we absorb the risks and none of the rewards.
The alternative is to treat our data as something we own, and to build organizations that explain what is happening to our data, how we can use it, and how we can finally benefit from a resource we already produce. These organizations can negotiate democratically, turning individuals from natural resources into constituents whose vote and veto matter. Firms that want access to rich, high-quality data will have to approach cooperatives as counterparties, not as resources to be mined. Licenses will come with democratic conditions attached: no resale, fair use, audit rights, and compensation. Lawmakers, in turn, will be able to point to concrete institutions that manage data as personal property and use them as models for stronger rights in statute.
This is the future I am arguing for. Data exists, we produce it, and it won’t go away. It affects our lives and produces tangible value, generating financial prosperity and freedom for its owners. It belongs to you — let’s start acting like it.