Privacy as Property?
Why Ownership of Personal Data Won't Protect Our Privacy
Is personal data property? Should it be?
I’ve often heard arguments that an effective way to protect privacy would be to protect personal data with property rights. The thinking behind this idea is that ownership of property confers a lot of power on the owner, so perhaps this is the best way to empower individuals to control their data.
Unfortunately, it doesn’t work. I wrote about this problem more than twenty years ago in my book, THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE (2004) (see here for a free PDF of the entire book).
I began my discussion by explaining the theory animating the proponents of privacy-as-property:
Understood in such terms, control over something entails a bundle of legal rights of ownership, such as rights of possession, alienability, exclusion of others, commercial exploitation, and so on. This is what leads Westin to conclude: “[P]ersonal information, thought of as the right of decision over one’s private personality, should be defined as a property right.”
But there are several deficiencies with protecting privacy as property.
1. Because property rights are alienable, companies will readily make people transfer their data to them, and then the companies will have even more power over people’s data.
Regarding privacy, companies have much greater power over consumers than vice versa. Under the notice-and-choice approach of U.S. law, as well as under many other privacy laws, companies have a wide latitude to define what data they gather and how they’ll use it.
Giving the initial possession of data to individuals doesn’t mean they’ll end up with possession in the end. Companies can readily redefine their relationship with consumers to force the transfer of data to them. In other words, in a scrum for possession of the football, companies have the strongest arms and will resort to ruthless tactics to get what they want.
Under a property rights approach, people might end up with less protection than they have now. If people “sell” their data to companies, then companies might demand that people relinquish their rights in the data, such as the right to delete, to withdraw consent, or to stop certain uses. Currently, when privacy laws provide for individual rights like these, the rights are inalienable; companies can’t force people to bargain them away. But once we start down the property road, this might change.
Perhaps there’s a way the law could restrict companies from what they could do with the data once they wrest ownership of it from people. The property metaphor might be probed to explore other concepts in property such as easements or various rights or requirements that run with the land. Perhaps even when “owning” personal data, a company doesn’t own it totally but certain rights are retained by the consumer. Another analogy might be to historical property where owners can’t do anything they want to the property but must follow certain rules about preservation and maintaining historical character.
But these are exceptions to the normal rules of ownership, and the law would need to start imposing quite a lot of these restrictions to make privacy-as-property work in any reasonably protective way for consumers.
2. People are already trading their personal data away in the current digital economy. Viewing personal data as property just validates what’s already going on.
The internet only appears to be free, but it’s not really free. Companies are offering free or discounted products and services in exchange for personal data. In essence, the data already is people’s property and they are giving it away to use free social media sites, apps, and other technologies.
Right now, even when people turn over their data, it isn’t quite treated as the full property of companies. It exists in a kind of vague twilight. Calling personal data “property” will make transactions in the digital economy more clear; people are selling their data for the convenience and fun of tech.
It might feel good to call a spade a spade. I’m all for ending the ruse that so many digital technologies are free. But there’s a virtue with the vague twilight status of our personal data. When we “sell” it to companies, it’s not fully clear what, exactly, we’re “selling.” If the data is clearly designated as “property” that people “sold” to companies, then companies might be emboldened to exercise wider uses of the data because they “purchased” it.
3. People can’t accurately value their personal data, so they are at risk of selling it for far less than it is worth.
As I wrote in THE DIGITAL PERSON:
A key aspect of property rights, observes information law scholar Pamela Samuelson, is that property is alienable—people can readily trade it away. Market solutions, which view information as property that can be traded in the market, depend upon the ability of people to accurately assess the value of information. As legal scholar Katrin Byford aptly notes, assigning property rights in information “values privacy only to the extent it is considered to be of personal worth by the individual who claims it.” The value of personal information is determined by how much it takes for a person to relinquish it. Since people routinely give out their personal information for shopping discount cards, for access to websites, and even for free, some market proponents (especially the self-regulators) argue that the value of the data is very low to the individuals. The market is thus already adequately compensating individuals for the use of their information.
In a well-functioning market, assuming no market failure, the market might work quite well in valuing personal information. But the market in privacy is not a well-functioning market, and thus its valuation determinations are suspect.
I also noted that people can’t value their data because they must assess the value in separate situations at different times with isolated bits of data:
The aggregation effect severely complicates the individual’s ability to ascribe a value to personal information. An individual may give out bits of information in different contexts, each transfer appearing innocuous. However, when aggregated, the information becomes much more revealing. As law professor Julie Cohen observes, each instance in which we give out personal information may seem “trivial and incremental,” which “tends to minimize its ultimate effect.” It is the totality of information about a person and how it is used that poses the greatest threat to privacy. From the standpoint of each particular information transaction, individuals will not have enough facts to make a truly informed decision.
Additionally, I contended:
The potential future uses of personal information are too vast and unknown to enable individuals to make the appropriate valuation. The value of much personal information, such as one’s SSN, does not stem from its intimacy, its immediate revelations of selfhood, or the fact that the individual has authored it. Rather, the value is in the ability to prevent others from gaining power and control over an individual; from revealing an individual’s private life; and from making the individual vulnerable to fraud, identity theft, prying, snooping, and the like. Because this value is linked to uncertain future uses, it is difficult, if not impossible, for an individual to adequately value her information. Since the ownership model involves individuals relinquishing full title to the information, they have little idea how such information will be used when in the hands of others.
Viewed through a property lens, we’re pawning our data blind. It’s nearly impossible to assess its value to us because we don’t know how it will be combined and used in the future.
4. The value of personal data is more than just a monetary figure.
Property rights often focus on money as the way to measure the value of personal data, but the value of personal data is much more than just about money. Another quote from THE DIGITAL PERSON:
When personal information is understood as a property right, the value of privacy often is translated into the combined monetary value of particular pieces of personal information. Privacy becomes the right to profit from one’s personal data, and the harm to privacy becomes understood as not being adequately paid for the use of this “property.” But is this really the harm? Can privacy be translated into property concepts without losing some of its meaning?
In Dwyer v. American Express Co., 652 N.E. 2d 1351 (Ill. App. 1995), American Express cardholders sued the company for selling their names to merchants. The plaintiffs advanced a theory for appropriation of the value of their name or likeness, which they rooted in a property theory. The court rejected this theory because “a single, random cardholder’s name has little or no intrinsic value to defendants (or a merchant). Rather, an individual name has value only when it is associated with one of the defendants’ lists. Defendants create value by categorizing and aggregating these names.” The court further reasoned that “defendants’ practices do not deprive any of the cardholders of any value their individual names may possess.”
All this focus on the monetary value of the data led to the court’s failure to recognize the harm to the plaintiffs, which wasn’t really a failure to compensate them. The harm was that their data was used and sold and they were powerless to do anything about it.
For each individual, the use of their personal data by a company might amount to a very small amount of money if individuals were to gain a share of their individualized monetary value. Being paid a small royalty of a few dollars or cents might be nice pocket change, enough to buy a pack of gum (and maybe a happy meal), but it’s a pittance in the overall scheme of things. The greater value of privacy is the risk and harm that it can bring about to individuals and society.
5. Personal data often has shared ownership, which complicates the ability to assign property rights to it.
Much personal data is shared. For example, our genetic data belongs to a lot more than just us. We share a vast majority of DNA with every other human. And we share even more genetic data with family members.
In a transaction, data is created between the seller and buyer. It’s not clear who owns it. Suppose Jack sells Jill the book War and Peace. Is it Jill’s information that she bought War and Peace from Jack? Or can Jack say that it is his information that he sold War and Peace to Jill?
Is Jill’s claim better than Jack’s? Suppose Jill is a celebrity, and it is the highlight of Jack’s life that he sold War and Peace to a famous person. Both Jack and Jill have claims to the data.
As I wrote in THE DIGITAL PERSON: “We often develop personal information through our relationships with others. When a person purchases a product, information is created through the interaction of seller and buyer.”
Our relationships with friends and family also involve shared data. So do our relationships with others, such as colleagues, acquaintances, and everyone we encounter throughout every day. A ton of personal data is generated within these relationships. All parties have ownership claims to the data.
6. Property rights are too individualistic; privacy issues affect us all.
Giving people property rights in their data views privacy as primarily an individual harm. But privacy also affects society. In today’s age of AI, companies can affect people by using the data of other people to train AI models and make algorithmic predictions. Even if the law gives you a right to own your data, it won’t protect you against AI trained on the data of others.
As I wrote in The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023):
In today’s “inference economy,” machine learning and other forms of algorithmic decisionmaking work by making inferences based on data sets. Everyone’s data in the data set is used to make inferences, which are often then used to make decisions affecting people. As Salomé Viljoen notes, “Data flows are designed to represent the ways that people are like one another and reveal meaningful things about one another: how we are alike biologically, interpersonally, politically, and economically.”
Conclusion
I’m not advancing a form of collective ownership or arguing that we all should own each other’s data. What I’m contending is that we shouldn’t look to ownership at all.
Ownership isn’t the right tool for protecting personal data. Nor is individual control over personal data.
Instead, we should focus on privacy protection against risk and harm. Being protected against risk and harm isn’t solved with ownership of one’s data; it’s a matter of consumer protection.
Related: Privacy as Contract?
Beyond property law, another component of market approaches to protecting privacy is contract law. In our forthcoming article, Privacy as Contract?, 112 Iowa L. Rev. __ (2026), Professor Woodrow Hartzog and I ask similar questions about contracts as I discussed above about property. Are privacy notices contracts? Should they be?
We argue that doctrinally, the law remains unresolved on the issue, though it is starting to lean towards viewing privacy notices as contracts. Normatively, we contend that privacy notices shouldn’t be treated as contracts because it would be terrible for consumers. Read the draft to find out why.
Daniel J. Solove is the Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is the founder of TeachPrivacy, a company that provides workforce privacy, cybersecurity security, and AI training to companies and organizations around the world. He is the author of 10+ books and 100+ articles.
You can follow his events, writings, training, cartoons, and resources by subscribing to his free weekly newsletter.
I completely agree. I understand the impetus for trying to create an economic metric and “ownership” theory around the value of personal data for purposes of making people whole in the context of litigation when there’s been harm. But the European notion of privacy as a fundamental human right is the better standard because it encompasses non-economic, non-ownership, ideas about human agency, freedom of thought, and freedom from surveillance. I have filed at least two expert reports arguing for noneconomic, non-owenerahip interest privacy harms – relying on your taxonomy Prof Solove and your later work with Prof Citron— trying to get courts to understand that there’s more than money or ownership interest at stake when talking about the use of a person‘s information and it is deeply contextual, psychological and of real import in liberal democracies. Don’t even get me started on the “privacy paradox” which is at least in part result of obfuscating privacy practices in such a manner that most individuals have no idea what happens to their personal data throughout the ecosystem or the risk associated with the so-called “choices” they are asked to make.
This is an important post that everyone should read. I’m grateful that someone with deep expertise in data sharing, privacy, and the law is thinking and writing about an issue that touches anyone who uses a computer or smartphone. Most of us cede our data every time we engage with technology. Ownership of that data is already complex and murky, and as you point out, it is not equivalent to property rights. With AI, this becomes even more complicated as our data effectively becomes fair game for large tech companies to use our information and images to train models. And as these systems evolve, the future uses of that data will extend in ways we can’t yet fully imagine or anticipate.