"If you park your car in a parking lot, the parking lot doesn't own your car," said Vana CEO Anna Kazlauskas to describe the relationship between users and the data platforms that store about them. The analogy is intuitive. The legal reality is more complicated.
No jurisdiction on Earth grants individuals property rights over their personal data. What exists instead is a patchwork of privacy regulations, intellectual property doctrines, and contract terms that give different parties different claims over the same information. The question of who owns data has been debated for more than two decades. The rise of AI, which requires vast amounts of personal data for training, has made it urgent.
The cookie law era established consent, not ownership
The first major legal framework governing personal data online was the E.U.'s ePrivacy Directive, passed in 2002 and amended in 2009, which became known as the "cookie law." The original 2002 directive allowed cookies with a simple opt-out mechanism, treating browser settings as sufficient protection. The 2009 amendment changed the standard from opt-out to opt-in. Article 5(3) of the amended directive stated that storing information on a user's device was allowed only "on condition that the subscriber or user concerned has given his or her consent." This single change triggered the wave of cookie consent banners that now appear on websites worldwide.
The cookie law established a principle that has shaped every subsequent regulation: Users must be told what data is being collected and given some mechanism to control it. But consent is not ownership. Telling a landlord what you plan to do in an apartment does not make the tenant the building's owner.
GDPR created control rights, not property rights
The E.U.'s General Data Protection Regulation, which went into effect in 2018, is the most cited framework in debates about data ownership. The GDPR states in Recital 7 that "natural persons should have control of their own personal data." It grants data subjects a bundle of rights: access, rectification, erasure, portability, and the right to object to processing.
Those rights resemble ownership. They are not. The GDPR regulations do not grant any property rights in data, according to an analysis by the law firm Clifford Chance. The rights arising out of the GDPR do not include the exclusive right to possess personal data. The GDPR only addresses the right to "protect" data, guaranteeing the data subject the possibility to control the data, but not regulating ownership. The right to data protection also does not confer an exclusive right to reap the benefits of the item, as is typical of ownership rights. Data may be used commercially by entities other than the data subject, without the data subject benefiting.
A 2024 report from the European Commission's Publications Office made this gap explicit. The European Data Protection Board has stated that "personal data cannot be considered as a 'tradeable commodity'" and that "even if the data subject can agree to the processing of his or her personal data, he or she cannot waive his or her fundamental rights."
This distinction has real consequences for AI. GDPR Article 20 allows individuals to receive their personal data in a machine-readable format and transmit it to another controller, but it applies only to data the data subject has provided, not to derived or inferred data, according to an analysis of the right to portability. When Instagram builds a psychological profile labeling a user as likely to have depression, that inference belongs to the category of data the user cannot port.
The U.S. regulates use, not rights
The California Consumer Privacy Act, enacted in 2018 and effective January 1, 2020, took a different approach from the GDPR. Rather than framing data as a fundamental right, it framed it as a consumer protection issue. It grants California consumers the right to know what personal information businesses collect about them, how the data is used, and with whom it is shared, as well as the right to request deletion and to opt out of sales.
California was the first state to enact a data-privacy law granting residents ownership of their personal information, according to compliance firm Osano. But even this characterization obscures the limits. The CCPA does not create a property right that users can enforce as they would for ownership of a house or a car. It creates disclosure and deletion obligations for businesses.
The U.S. has no federal comprehensive data privacy law. Nineteen states now have comprehensive consumer privacy laws in effect as of early 2026, covering more than half of the American population, according to privacy compliance firm Secure Privacy. Each creates slightly different consumer rights. None establishes data ownership as a property right.
AI makes the question harder, not easier
The problem is compounding. Companies that collect raw user data process it into inferences, predictions, and profiles. Whether users have any claim to those derivatives is contested. In the U.S., creators of inferred data often argue that it is a trade secret, with ownership remaining with the entity that takes steps to protect it, according to an American Bar Association analysis.
The E.U. is adding new layers. The AI Act, the first comprehensive legal framework on AI worldwide, entered into force in August 2024. It requires providers of general-purpose AI models to publish summaries of training data, comply with E.U. copyright law, and share information with regulators. Article 53(1)(d) requires providers to publish a "sufficiently detailed summary" of training content. In December 2024, the European Data Protection Board adopted Opinion 28/2024, examining when AI models can be considered anonymous, whether legitimate interests justify the use of personal data for training, and what happens when a model is developed with unlawfully processed data.
Meanwhile, the E.U.'s Data Act, which entered into force in January 2024 and came into application in September 2025, takes a step closer to the ownership principle in one area. It gives users of connected devices greater control over the data generated by their products, such as cars, smart TVs, and industrial machinery. But even here, highly enriched data, such as inferred or derived data generated by algorithms, is not in scope, according to the European Commission's FAQs.
The enforcement machine is growing. GDPR fines totaled about €1.2 billion in 2024. The cumulative total since 2018 now stands at €5.88 billion, according to the DLA Piper GDPR Fines and Data Breach Survey. But those fines punish data mishandling. They do not establish that users own it.
The parking lot analogy captures what many people feel should be true. The law, so far, has declined to make it so. Users have growing rights to know about, access, and delete their data. They do not have the right to sell it, license it, or control who profits from the inferences drawn from it. For companies building markets around user-contributed data for AI training, that legal gap is both an opportunity and a risk.
