The Current Legal Gap
Personal data property rights do not exist in US law. That sentence deserves to sit alone for a moment. You generate terabytes of behavioral, biometric, financial, and health data every year. No statute grants you a cognizable ownership interest in any of it.
Courts have repeatedly declined to treat data as property. The Federal Trade Commission regulates data practices under Section 5 of the FTC Act as unfair or deceptive conduct but stops well short of declaring individuals the legal owners of data about themselves. The result is a system where corporations hold de facto property rights in your data while you hold none.
This is not an accident. It is the predictable output of a legal architecture built before the commercial internet existed and never meaningfully updated for the data economy.
What Property Law Actually Requires
To understand why data ownership is legally complicated, you need to understand what property law actually requires. Property in the legal sense is a bundle of rights: the right to exclude others, the right to transfer, the right to use, and the right to destroy. These four sticks are what make a thing ownable in common law jurisdictions.
Data breaks every one of these requirements in interesting ways. It is non-rivalrous, meaning my use of a data point does not deplete your use of the same data point. It is infinitely copyable at near-zero marginal cost. It is often jointly generated, meaning your location data requires a cell tower, a device manufacturer, a carrier network, and you to exist at all. Assigning exclusive ownership to any single party requires a legal fiction that the law has so far been unwilling to construct.
Intellectual property law runs into the same walls. Copyright protects original expression, not facts. Your weight, your purchase history, your click patterns. None of these qualify as original expression under the Copyright Act. Trade secret law protects information kept confidential by businesses, not personal data flowing through commercial ecosystems. Patent law is simply inapplicable.
Why Existing Frameworks Fall Short

GDPR and CCPA represent the most sophisticated data rights frameworks currently in force, and neither one creates property rights. They create control rights, which is a meaningfully different legal category.
Under GDPR Articles 15 through 21, EU data subjects have rights to access, rectification, erasure, portability, and objection. These are procedural remedies enforced against data controllers. They are not alienable interests. You cannot sell your GDPR rights, pledge them as collateral, or transfer them in a contract. They vanish when you do.
CCPA and its successor CPRA add the right to opt out of the sale of personal information and the right to correct inaccurate data. Again, these are consumer protection rights modeled on regulatory frameworks, not property entitlements. The California Privacy Protection Agency enforces them through administrative action, not property tort claims.
The distinction matters enormously for how remedies work. In property law, you can sue for conversion when someone takes your property without permission. You can seek injunctive relief to recover possession. You can claim unjust enrichment when someone profits from your property. None of these remedies are available to data subjects under current law because data is not property under current law.
Legislative Proposals on the Table
The academic and policy literature on data property rights is substantial, and Congress has seen multiple proposals aimed at filling the gap. The Data Accountability and Transparency Act introduced at the federal level proposed fiduciary duties for data brokers but stopped short of property rights. The idea of treating data processors as fiduciaries to data subjects is compelling but does not resolve the ownership question.
More ambitious proposals have floated the concept of a federal data property statute that would create a new category of intangible property analogous to how the Lanham Act created federal trademark rights. Under such a scheme, personal data generated by an identifiable individual would vest in that individual as a matter of federal law, subject to licensing and transfer provisions.
The challenges are formidable. First, Congress would need to decide what counts as personal data with enough precision to survive a facial challenge. Second, any property regime needs a registry or a recordation system to establish priority and chain of title. Third, the remedial scheme needs to define damages in a market where data values are opaque and context-dependent.
Senator Ron Wyden has been among the more consistent voices pushing for structural data reform, though his proposals have focused primarily on strong privacy enforcement rather than property creation. The American Data Privacy and Protection Act, which advanced further in committee than most federal privacy bills, incorporated data minimization requirements and individual rights but did not establish a property framework.
International Models Worth Examining
A handful of jurisdictions have experimented with concepts closer to data property than anything in US law. China's Personal Information Protection Law, which took effect in 2021, is frequently cited in comparative discussions. It includes provisions treating certain data rights as personal rights in the civil code sense, which in Chinese jurisprudence carries stronger protections than a purely regulatory right. The enforcement record is mixed and the political context is distinct, but the doctrinal move is instructive.
The EU's proposed Data Act, which entered force in 2024, creates portability rights for non-personal machine-generated data and establishes switching rights across cloud providers. It does not create personal data property rights but it does establish that data generated through use of a product belongs in some functional sense to the user of that product. That framing edges closer to property thinking without reaching it.
India's Digital Personal Data Protection Act similarly creates rights frameworks without property designations. The pattern across jurisdictions is consistent: legislators reach for control rights because property rights create too many second-order problems around transaction costs, anticompetitive consolidation, and enforcement complexity.
How Cryptographic Proof Fills the Gap Today
Law tends to trail technology by a decade or more. While legislatures debate the architecture of data property rights, individuals who want to assert ownership interests in their personal data need tools that work within the current legal vacuum.
This is exactly the problem that the Personal Data Asset Origination System addresses. The PDAOS white paper outlines a cryptographic framework for timestamped proof of data origination. The core insight is that while law does not yet grant property rights in personal data, it does recognize evidence. A cryptographically signed certificate establishing that a specific dataset existed in your possession at a verifiable point in time creates an evidentiary record that can support future claims in a legal environment that may look very different.
Think of it as the chain-of-title documentation you would prepare for a property whose legal status is disputed. The underlying ownership question is unresolved, but the factual record of possession and origination is preserved and provable. When law catches up, that record has value.
Own Your Data Inc., the nonprofit behind MyDataKey™, built this system specifically because the legal gap is real and the window for establishing origination evidence is now. Data generated today that lacks a provenance record will be much harder to assert claims over in future legal frameworks than data for which a clear origination certificate exists.
If you want to start building your personal data record today, registering for a MyDataKey™ certificate is the mechanism.
What US Law Would Need to Change
A functional data property regime in the United States would require changes across at least four distinct bodies of law. Understanding the scope of the problem clarifies why progress has been slow.
Federal preemption architecture. A data property statute would need to preempt state law or coexist with CCPA, CPRA, and the growing patchwork of state privacy laws. The interstate commerce implications alone make federal action the only viable path, but federal preemption is politically contentious in a space where California has functioned as a de facto national regulator.
Tort law reform. Property rights are only meaningful if violations are actionable. Current data breach litigation founders on Article III standing doctrine following the Supreme Court's analysis in TransUnion LLC v. Ramirez, which required plaintiffs to show concrete harm beyond the mere exposure of their data. A data property regime would need to establish that interference with data property rights constitutes a cognizable injury without requiring proof of downstream financial harm.
Antitrust integration. Data property rights concentrated in large platforms create network effects that entrench monopoly power. Any ownership framework needs built-in interoperability mandates and data portability requirements to prevent property rights from becoming a barrier to competition rather than a protection for individuals.
International treaty obligations. US companies operating under GDPR, APPI, PIPEDA, and a dozen other frameworks cannot comply with a US data property statute that conflicts with foreign law. A workable framework needs mutual recognition agreements or safe harbor provisions comparable to what Privacy Shield attempted before it was invalidated by the Court of Justice of the European Union in Schrems II.
For a deeper technical analysis of how origination systems interact with these legal questions, the MyDataKey™ technical resource library covers the cryptographic and systems architecture in detail.
The Path Forward
The absence of personal data property rights is not an oversight. It is a structural feature of a legal system that was never designed to handle data as an asset class. Fixing it requires confronting non-rivalrous goods theory, standing doctrine, antitrust law, international treaty obligations, and the basic architecture of property registration all at once.
That does not mean the project is impossible. The Uniform Law Commission has drafted uniform acts in contexts of comparable complexity. The UCC's treatment of secured transactions in Article 9 created a workable nationwide framework for intangible asset security interests that did not exist at common law. A similar legislative effort focused on personal data is technically achievable.
What it requires is political will, model legislation development, and a constituency of individuals who understand that data rights are property rights deferred, not privileges granted. Documenting your data origination today, while the legal framework develops, is the most concrete action available to anyone who wants to be positioned to assert claims when the law finally catches up to the economy it governs.
Own Your Data Inc. exists as a nonprofit precisely because this work should not depend on a commercial incentive to dilute it. Data ownership advocacy and origination documentation need to be available to everyone, not just those who can afford enterprise data governance tools.
Written By
Dr. Patrick Fisher, PhD, NCC, BC-TMH, C-AAIS — Founder, Own Your Data Inc
Editorial Review
This article was reviewed by Ryan Gaughan on July 11, 2026 for accuracy, currency, and clarity. Content is updated when laws or guidance change.