The data trail every person generates is starting to come with rights attached — to see it, move it, monetize it or make it disappear — reversing a decades-old default in which extraction was invisible and consent was theater.
Change driver · Updated July 2026
The shift ahead
For most of the digital era, the deal was implicit: use the service, surrender the data, ask nothing. The deal is being renegotiated in public.
Laws now reach across most of the planet, and they are getting operational teeth — not just principles but platforms: deletion mechanisms, portability rights, penalties per person per day. At the same time, people’s expectations are moving faster than compliance departments, shaped by every breach headline and every unnervingly specific advertisement.
The shift is not to better privacy policies. It is the movement of personal data from institutional asset to personal agency, changing who holds leverage in every relationship built on information.
Why it matters
When people gain real control over their data, business models built on frictionless extraction inherit a consent problem.
For organizations, the exposure runs deeper than fines. Data collected under the old default becomes a liability under the new one — subject to deletion demands, portability requests and scrutiny of every secondary use.
There’s an upside for the trustworthy: organizations that treat data rights as a design principle rather than a compliance burden earn something extraction never could — data people share on purpose.
The right to be forgotten stops requiring a lawyer and becomes a consumer product — one request, every broker, enforced by the state.
California’s DROP platform, launched in January 2026 as the first government-built system of its kind, lets residents send a single deletion request to more than 600 registered data brokers, who face fines of $200 per consumer per day for ignoring it.
Protection stops being a European peculiarity and becomes the baseline condition of operating anywhere.
UNCTAD’s tracking shows 137 of 194 countries have now enacted data protection and privacy legislation — meaning the unregulated market is the exception, not the rule.
When people can take their data with them, it stops being a byproduct and starts being an asset they trade for better terms.
The UK’s open banking regime — born of a competition mandate forcing banks to open customer data — passed 10 million active users in 2024, roughly one in seven Britons now using their own banking data as leverage for better credit, budgeting and payment terms.
Right now, rights are outrunning behavior.
The legal architecture is arriving faster than the habits: most people still click through consent screens unread, and most organizations still treat data rights as forms to process rather than a relationship to redesign. The infrastructure, though, is now real — platforms, penalties and precedents that make agency exercisable the moment people decide to use it.
The line that will matter is the line between compliance and offer: organizations that wait for requests versus those that make control a visible feature people choose them for.
Watch where control over personal data is shifting.
The driver strengthens with every mechanism that makes rights effortless: one-click deletion, automated portability, data intermediaries negotiating on people’s behalf and the first mainstream products marketed on sovereignty rather than convenience.
The question is not whether people care about their data. It is what happens to extraction-based business the moment caring costs nothing.
We track the ones that will reshape your field, and what to do about them.