Data ownership laws remain unresolved despite GDPR and CCPA

Thomas Trutschel / Getty Images

"If you park your car in a parking lot, the parking lot doesn't own your car," said Vana CEO Anna Kazlauskas to describe the relationship between users and the data platforms that store about them. The analogy is intuitive. The legal reality is more complicated.

No jurisdiction on Earth grants individuals property rights over their personal data. What exists instead is a patchwork of privacy regulations, intellectual property doctrines, and contract terms that give different parties different claims over the same information. The question of who owns data has been debated for more than two decades. The rise of AI, which requires vast amounts of personal data for training, has made it urgent.

The first major legal framework governing personal data online was the E.U.'s ePrivacy Directive, passed in 2002 and amended in 2009, which became known as the "cookie law." The original 2002 directive allowed cookies with a simple opt-out mechanism, treating browser settings as sufficient protection. The 2009 amendment changed the standard from opt-out to opt-in. Article 5(3) of the amended directive stated that storing information on a user's device was allowed only "on condition that the subscriber or user concerned has given his or her consent." This single change triggered the wave of cookie consent banners that now appear on websites worldwide.